search

vuejs / vue

This is the repo for Vue 2. For Vue 3, go to https://github.com/vuejs/core
http://v2.vuejs.org
MIT License
207.7k stars 33.67k forks source link

Upgrade serialize-javascript dependency to fix high severity vulnerability #11591

Closed zgmrvn-svg closed 4 years ago

zgmrvn-svg commented 4 years ago

Version

2.6.11

Reproduction link

https://www.npmjs.com/advisories/1548

Steps to reproduce

vue-server-renderer uses the serialize-javascrit package that, pior to its v3.1.0 has a code execution vulnerability. This vulnerability affects other projects that make use of Vue's SSR feature like Nuxt and Gridsome.

NPM report https://www.npmjs.com/advisories/1548

PR https://github.com/vuejs/vue/pull/11589

What is expected?

Upgrade serialize-javascript dependency to 3.1.0 or 4.0.0

What is actually happening?

Projects based on Vue are potentially suffuring from a code injection/execution vulnerability and won't pass yarn audit

posva commented 4 years ago

Please don't open an issue if there is already a PR and search existing issues before opening one

zgmrvn-svg commented 4 years ago

Yep, sorry. For people landing here: https://github.com/vuejs/vue/pull/11434