5 vulnerabilities (2 moderate, 3 high) in download-git-repo inside @vue/cli

[GiovanaNp1]

Version

5.0.8

Environment info

Environment Info:

  System:
    OS: macOS 12.6
    CPU: (12) x64 Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
  Binaries:
    Node: 16.17.0 - ~/.nvm/versions/node/v16.17.0/bin/node
    Yarn: 1.22.10 - /usr/local/bin/yarn
    npm: 8.15.0 - ~/.nvm/versions/node/v16.17.0/bin/npm
  Browsers:
    Chrome: 100.0.4896.75
    Edge: Not Found
    Firefox: 105.0.1
    Safari: 16.0
  npmPackages:
    @carbon/icons-vue: ^10.56.0 => 10.58.0 (10.56.0)
    @carbon/vue: ^2.44.1 => 2.44.1 
    @vue/babel-helper-vue-jsx-merge-props:  1.4.0 
    @vue/babel-helper-vue-transform-on:  1.0.2 
    @vue/babel-plugin-jsx:  1.1.1 
    @vue/babel-plugin-transform-vue-jsx:  1.4.0 
    @vue/babel-preset-app:  5.0.8 
    @vue/babel-preset-jsx:  1.4.0 
    @vue/babel-sugar-composition-api-inject-h:  1.4.0 
    @vue/babel-sugar-composition-api-render-instance:  1.4.0 
    @vue/babel-sugar-functional-vue:  1.4.0 
    @vue/babel-sugar-inject-h:  1.4.0 
    @vue/babel-sugar-v-model:  1.4.0 
    @vue/babel-sugar-v-on:  1.4.0 
    @vue/cli: ^5.0.8 => 5.0.8 
    @vue/cli-overlay:  5.0.8 
    @vue/cli-plugin-babel: ^5.0.0 => 5.0.8 
    @vue/cli-plugin-router:  5.0.8 
    @vue/cli-plugin-vuex:  5.0.8 
    @vue/cli-service: ^5.0.8 => 5.0.8 
    @vue/cli-shared-utils:  5.0.8 
    @vue/cli-ui:  5.0.8 
    @vue/cli-ui-addon-webpack:  5.0.8 
    @vue/cli-ui-addon-widgets:  5.0.8 
    @vue/compiler-core:  3.2.40 
    @vue/compiler-dom:  3.2.40 
    @vue/compiler-sfc: ^3.0.4 => 3.2.40 (2.7.10)
    @vue/compiler-ssr:  3.2.40 
    @vue/component-compiler-utils:  3.3.0 
    @vue/eslint-config-prettier: ^4.0.1 => 4.0.1 
    @vue/reactivity-transform:  3.2.40 
    @vue/shared:  3.2.40 
    @vue/test-utils: 1.0.0-beta.29 => 1.0.0-beta.29 
    @vue/web-component-wrapper:  1.3.0 
    eslint-plugin-vue: ^9.5.1 => 9.5.1 
    typescript:  4.5.5 
    vue: ^2.6.12 => 2.7.10 
    vue-codemod:  0.0.5 
    vue-cookies: ^1.7.4 => 1.8.1 
    vue-eslint-parser:  9.1.0 
    vue-hot-reload-api:  2.3.4 
    vue-loader:  17.0.0 (15.10.0)
    vue-pdf-app: ^2.1.0 => 2.1.0 
    vue-router: ^3.5.2 => 3.6.5 
    vue-style-loader:  4.1.3 
    vue-template-compiler: ^2.6.12 => 2.7.10 
    vue-template-es2015-compiler:  1.9.1 
    vuex: ^3.1.2 => 3.6.2 
    vuex-persist: ^3.1.3 => 3.1.3 
  npmGlobalPackages:
    @vue/cli: Not Found

Steps to reproduce

npm audit

What is expected?

0 vunerabilitty

What is actually happening?

5 vunerability in packages inside the project

[GiovanaNp1]

@MartijnCuppens Can You help-me?

[GiovanaNp1]

@yyx990803 Can you help-me?

[2cb-log]

Your question is rather vague, so I'm not sure if this helps:

• Following the recommended npm action npm audit fix does indeed shrink the dependency issues from:

  6 vulnerabilities (2 moderate, 3 high, 1 critical)

down to:

`5 vulnerabilities (2 moderate, 3 high)`

• Next, you might find that the vue create [_your-app_] doesn't do anything at all. Running it via npx was effective in not only downloading more dependencies but pointing out and prompting to remove an old cruft config file:

  npx vue create [_your-app_]

With the Vue ecosystem moving towards Vite for bundling and running apps, I wouldn't have chosen the Vue CLI at this point but a leading cloud platform is surprisingly still featuring the tool in their main Vue tutorial. All good though when you can get this result:

INFO Starting development server...

DONE Compiled successfully in 16429ms

App running at:

• Local: h++p://localhost:8080/

[GiantVlad]

I have the same issue. @vue/cli * Depends on vulnerable versions of download-git-repo