vulnerabilities with got, git-clone, and http-cache-semantics

[Tri-Vi]

Version

5.0.8

Environment info

Dev and Production

Steps to reproduce

npm audit

What is expected?

0 vunerabilitty

What is actually happening?

I am writing to report vulnerabilities in dependencies of Vue CLI that have been identified through npm audit. These vulnerabilities pose a risk to the security of Vue CLI and projects using it.

git-clone:

• Severity: High
• Vulnerability: Command injection (https://github.com/advisories/GHSA-8jmw-wjr8-2x66)
• Affected Versions: 0.1.0 (used by download-git-repo in Vue CLI)
• Recommended Action: Update to version 0.2.0 or newer, if available.

got:

• Severity: High
• Vulnerability: Allows a redirect to a UNIX socket (https://github.com/advisories/GHSA-pfrx-2q88-qq97)
• Affected Versions: <=11.8.3 (used by download in Vue CLI)
• Recommended Action: Update to version 14.3.0 or newer, if available.

http-cache-semantics:

• Severity: High
• Vulnerability: Regular Expression Denial of Service (https://github.com/advisories/GHSA-rc47-6667-2j5j)
• Affected Versions: <4.1.1 (used by cacheable-request in Vue CLI)
• Recommended Action: Update to version 4.1.1 or newer, if available.

---

I kindly request that these vulnerabilities be addressed in the next release of Vue CLI

[Tri-Vi]

Closing this ticket as resolved