Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency on vulnerable version of vue-template-compiler #4610

Closed
JuanJoseGonGi opened this issue Jul 23, 2024 · 5 comments · Fixed by #4613
Closed

Dependency on vulnerable version of vue-template-compiler #4610

JuanJoseGonGi opened this issue Jul 23, 2024 · 5 comments · Fixed by #4613
Labels
upstream

Comments

@JuanJoseGonGi
Copy link

JuanJoseGonGi commented Jul 23, 2024
edited
Loading

Vue - Official extension or vue-tsc version

vue-tsc

VSCode version

1.91.1

Vue version

2.7

TypeScript version

5.4.2

System Info

System:
    OS: macOS 14.5
    CPU: (8) arm64 Apple M1
    Memory: 49.92 MB / 16.00 GB
    Shell: 3.7.1 - /opt/homebrew/bin/fish
  Binaries:
    Node: 18.18.2 - ~/.asdf/installs/nodejs/18.18.2/bin/node
    npm: 9.8.1 - ~/.asdf/plugins/nodejs/shims/npm
    pnpm: 9.5.0 - /opt/homebrew/bin/pnpm
    bun: 1.0.1 - ~/.bun/bin/bun
  Browsers:
    Chrome: 127.0.6533.72
    Edge: 126.0.2592.113
    Safari: 17.5

Steps to reproduce

Run npm audit on a project with vue-tsc dependency

What is expected?

It should not contain any vulnerability alerts

What is actually happening?

vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS) - https://github.com/advisories/GHSA-g3ch-rx76-35fx
fix available via npm audit fix
node_modules/vue-template-compiler
  @vue/language-core  *
  Depends on vulnerable versions of vue-template-compiler
  node_modules/@vue/language-core
    @vue/typescript  *
    Depends on vulnerable versions of @vue/language-core
    node_modules/@vue/typescript
      vue-tsc  >=1.7.0-alpha.0
      Depends on vulnerable versions of @vue/language-core
      Depends on vulnerable versions of @vue/typescript
      node_modules/vue-tsc

Link to minimal reproduction

No response

Any additional comments?

client-side Cross-Site Scripting (XSS) on vue-template-compiler - GHSA-g3ch-rx76-35fx
@Plasma
Copy link

Plasma commented Jul 24, 2024

The CVE indicates its fixed in 3.0.0 however that is not a version on npm, instead is found at https://www.herodevs.com/support/nes-vue

@reesscot
Copy link

reesscot commented Jul 24, 2024
edited
Loading

Any update on this issue?

@leeobrum
Copy link

I have the same problem. Any solution?

@aoor9
Copy link

aoor9 commented Jul 24, 2024
edited
Loading

The CVE indicates its fixed in 3.0.0 however that is not a version on npm, instead is found at https://www.herodevs.com/support/nes-vue

This is ridiculous. What's the point of keeping a dep for an EOL framework? Just let those guy make a parallel project for vue2 and terminate its support on this. (Also, no offense, but I see not only they can't make a public release but they don't even know the difference between a major and a patch).

@johnsoncodehk johnsoncodehk linked a pull request Jul 25, 2024 that will close this issue
chore: use @vue/compiler-vue2 #4613
Merged
@johnsoncodehk
Copy link
Member

Please update vue-tsc to 2.0.29.

@lcharette lcharette mentioned this issue Jul 26, 2024
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
upstream
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: use @vue/compiler-vue2 vuejs/language-tools
6 participants
@Plasma @reesscot @johnsoncodehk @leeobrum @JuanJoseGonGi @aoor9