search

vuejs / vue-cli

🛠️ webpack-based tooling for Vue.js Development
https://cli.vuejs.org/
MIT License
29.76k stars 6.33k forks source link

Security: Vulnerabilites - 2 High, 3 Moderate #7450

Open sfcollins-v8m opened 8 months ago

sfcollins-v8m commented 8 months ago

Version

5.0.8

Reproduction link

Environment info

 System:
    OS: Windows 10 10.0.19045
    CPU: (16) x64 12th Gen Intel(R) Core(TM) i7-1260P      
  Binaries:
    Node: 14.21.3 - C:\Program Files\nodejs\node.EXE       
  npmPackages:
    @vue/cli-plugin-unit-mocha: 5.0.8 => 5.0.8
    @vue/cli-service: 5.0.8 => 5.0.8
    vue: 2.7.14 => 2.7.14

Steps to reproduce

Run npm audit on any application using @vue/cli-plugin-unit-mocha and @vue/cli-service - Version 5.0.8

Output:

High minimatch ReDoS vulnerability
Package minimatch
Dependency of @vue/cli-plugin-unit-mocha [dev]
Path @vue/cli-plugin-unit-mocha > mocha > glob > minimatch
More info https://github.com/advisories/GHSA-f8q6-p94x-37v3

High minimatch ReDoS vulnerability
Package minimatch
Patched in >=3.0.5
Dependency of @vue/cli-plugin-unit-mocha [dev]
Path @vue/cli-plugin-unit-mocha > mocha > minimatch
More info https://github.com/advisories/GHSA-f8q6-p94x-37v3

Moderate Exposure of Sensitive Information to an Unauthorized Actor in nanoid
Package nanoid
Patched in >=3.1.31
Dependency of @vue/cli-plugin-unit-mocha [dev]
Path @vue/cli-plugin-unit-mocha > mocha > nanoid
More info https://github.com/advisories/GHSA-qrpm-p2h7-hrv2

Moderate PostCSS line return parsing error
Package postcss
Patched in >=8.4.31
Dependency of @vue/cli-service [dev]
Path @vue/cli-service > @vue/component-compiler-utils > postcss
More info https://github.com/advisories/GHSA-7fh5-64p2-3v2j

Moderate PostCSS line return parsing error
Package postcss
Patched in >=8.4.31
Dependency of @vue/cli-service [dev]
Path @vue/cli-service > @vue/vue-loader-v15 >@vue/component-compiler-utils > postcss
More info https://github.com/advisories/GHSA-7fh5-64p2-3v2j

What is expected?

There should not be any vulnerabilities

What is actually happening?

There are existing vulnerabilities

AdrianMatta15 commented 8 months ago

aight cuh, you gotta switch the moderators with the crypto currency so that its 42 High and 3 moderate

gustawdaniel commented 6 months ago

At this moment last pr that was accepted is:

https://github.com/vuejs/vue-cli/pull/7324

merged by @sodatea into dev from dependabot/npm_and_yarn/loader-utils-1.4.1 on Nov 9, 2022

In README you can read that Vue CLI is now in maintenance mode, so you should migrate and remove this package.

Tri-Vi commented 3 months ago

is there a solution for this yet?