Closed zgmrvn-svg closed 4 years ago
2.6.11
https://www.npmjs.com/advisories/1548
vue-server-renderer uses the serialize-javascrit package that, pior to its v3.1.0 has a code execution vulnerability. This vulnerability affects other projects that make use of Vue's SSR feature like Nuxt and Gridsome.
NPM report https://www.npmjs.com/advisories/1548
PR https://github.com/vuejs/vue/pull/11589
Upgrade serialize-javascript dependency to 3.1.0 or 4.0.0
Projects based on Vue are potentially suffuring from a code injection/execution vulnerability and won't pass yarn audit
Please don't open an issue if there is already a PR and search existing issues before opening one
Yep, sorry. For people landing here: https://github.com/vuejs/vue/pull/11434
Version
2.6.11
Reproduction link
https://www.npmjs.com/advisories/1548
Steps to reproduce
vue-server-renderer uses the serialize-javascrit package that, pior to its v3.1.0 has a code execution vulnerability. This vulnerability affects other projects that make use of Vue's SSR feature like Nuxt and Gridsome.
NPM report https://www.npmjs.com/advisories/1548
PR https://github.com/vuejs/vue/pull/11589
What is expected?
Upgrade serialize-javascript dependency to 3.1.0 or 4.0.0
What is actually happening?
Projects based on Vue are potentially suffuring from a code injection/execution vulnerability and won't pass yarn audit