Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issue with css-what in @vue/cli-service 4.5.13 #6523

Closed
ahermant opened this issue Jun 8, 2021 · 12 comments
Closed

Security issue with css-what in @vue/cli-service 4.5.13 #6523

ahermant opened this issue Jun 8, 2021 · 12 comments

Comments

@ahermant
Copy link

ahermant commented Jun 8, 2021

Version

4.5.13

Reproduction link

https://github.com/ahermant/vue-cli-service-issue

Environment info

Environment Info:

  System:
    OS: macOS 11.2.2
    CPU: (16) x64 Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz
  Binaries:
    Node: 12.21.0 - ~/.nvm/versions/node/v12.21.0/bin/node
    Yarn: 1.22.10 - /usr/local/bin/yarn
    npm: 6.14.11 - ~/.nvm/versions/node/v12.21.0/bin/npm
  Browsers:
    Chrome: 91.0.4472.77
    Edge: Not Found
    Firefox: 89.0
    Safari: 14.0.3
  npmPackages:
    @vue/babel-helper-vue-jsx-merge-props:  1.2.1 
    @vue/babel-helper-vue-transform-on:  1.0.2 
    @vue/babel-plugin-jsx:  1.0.6 
    @vue/babel-plugin-transform-vue-jsx:  1.2.1 
    @vue/babel-preset-app:  4.5.13 
    @vue/babel-preset-jsx:  1.2.4 
    @vue/babel-sugar-composition-api-inject-h:  1.2.1 
    @vue/babel-sugar-composition-api-render-instance:  1.2.4 
    @vue/babel-sugar-functional-vue:  1.2.2 
    @vue/babel-sugar-inject-h:  1.2.2 
    @vue/babel-sugar-v-model:  1.2.3 
    @vue/babel-sugar-v-on:  1.2.3 
    @vue/cli-overlay:  4.5.13 
    @vue/cli-plugin-babel: ~4.5.0 => 4.5.13 
    @vue/cli-plugin-eslint: ~4.5.0 => 4.5.13 
    @vue/cli-plugin-router:  4.5.13 
    @vue/cli-plugin-vuex:  4.5.13 
    @vue/cli-service: ~4.5.0 => 4.5.13 
    @vue/cli-shared-utils:  4.5.13 
    @vue/component-compiler-utils:  3.2.0 
    @vue/preload-webpack-plugin:  1.1.2 
    @vue/web-component-wrapper:  1.3.0 
    eslint-plugin-vue: ^6.2.2 => 6.2.2 
    vue: ^2.6.11 => 2.6.14 
    vue-eslint-parser:  7.6.0 
    vue-hot-reload-api:  2.3.4 
    vue-loader:  15.9.7 (16.2.0)
    vue-style-loader:  4.1.3 
    vue-template-compiler: ^2.6.11 => 2.6.14 
    vue-template-es2015-compiler:  1.9.1 
  npmGlobalPackages:
    @vue/cli: 4.5.13

Steps to reproduce

run yarn audit or npm audit on a project with @vue/cli-service 4.5.13

What is expected?

No security issue

What is actually happening?

4 security issues spotted on css-what
@jeanrp
Copy link

jeanrp commented Jun 8, 2021

Same problem here

@MateusGaldinoLG
Copy link

i have here the same problem. NPM gives a link explaining what is wrong with css-what: https://www.npmjs.com/advisories/1754.
the fix is to update the css-what version to its new version (5.0.1)

@echojoshchen
Copy link

I see this issue as well, and another vulnerability has been reported for normalize-url.

@Halceyon
Copy link

I'm seeing the same for normalize-url on v4.5.13:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ normalize-url │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @vue/cli-service [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @vue/cli-service > @intervolga/optimize-cssnano-plugin > │
│ │ cssnano > cssnano-preset-default > postcss-normalize-url > │
│ │ normalize-url │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1755
└───────────────┴──────────────────────────────────────────────────────────────┘

@alimony
Copy link

alimony commented Jun 18, 2021

How is a high severity vulnerability in one of the most popular JS frameworks not fixed ten days after the issue is opened?

@Lissy93 Lissy93 mentioned this issue Jun 26, 2021
Closed
@mtermoul
Copy link

I have the same issue here. npm audit is saying:

css-what  <5.0.1
Severity: high
Denial of Service - https://npmjs.com/advisories/1754
fix available via `npm audit fix --force`
Will install @vue/cli-service@3.12.1, which is a breaking change
node_modules/svgo/node_modules/css-what
  css-select  <=3.1.2
  Depends on vulnerable versions of css-what
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 2.3.0
    Depends on vulnerable versions of css-select
    node_modules/svgo
      postcss-svgo  4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
      Depends on vulnerable versions of svgo
      node_modules/postcss-svgo
        cssnano-preset-default  <=4.0.8
        Depends on vulnerable versions of postcss-svgo
        node_modules/cssnano-preset-default
          @intervolga/optimize-cssnano-plugin  >=1.0.2
          Depends on vulnerable versions of cssnano-preset-default
          node_modules/@intervolga/optimize-cssnano-plugin
            @vue/cli-service  *
            Depends on vulnerable versions of @intervolga/optimize-cssnano-plugin
            Depends on vulnerable versions of copy-webpack-plugin
            Depends on vulnerable versions of cssnano
            Depends on vulnerable versions of globby
            Depends on vulnerable versions of webpack-dev-server
            node_modules/@vue/cli-service
          cssnano  4.0.0-nightly.2020.1.9 - 4.1.11
          Depends on vulnerable versions of cssnano-preset-default
          node_modules/cssnano

And when I do npm ls css-what I got the following

└─┬ @vue/cli-service@4.5.13
  ├─┬ @intervolga/optimize-cssnano-plugin@1.0.6
  │ └─┬ cssnano-preset-default@4.0.8
  │   └─┬ postcss-svgo@4.0.3
  │     └─┬ svgo@1.3.2
  │       └─┬ css-select@2.1.0
  │         └── css-what@3.4.2
  └─┬ html-webpack-plugin@3.2.0
    └─┬ pretty-error@2.1.2
      └─┬ renderkid@2.0.7
        └─┬ css-select@4.1.3
          └── css-what@5.0.1

So obviously @vue/cli-service@4.5.13 need to use a different version of css-what to fix the issue.

@dosstx
Copy link

dosstx commented Jun 30, 2021

Please keep us updated.

@nguyenlam123
Copy link

Also experiencing this using yarn. Does anyone have a suggested workaround in the mean time? Ideally, one should use the next version, but I am asking since the issue has been opened a "while"(all is relative right? 😄).

@wforbes
Copy link

wforbes commented Jul 2, 2021
edited
Loading

"css-select" is still calling for ^5.0.0 and that's what's directly using "css-what" here
So, even though "css-what" fixed the linear parsing issue and updated to 5.0.1 on 5/28, we'll be getting this warning until "css-select" accepts this pull request fb55/css-select#489 .... or this one ... fb55/css-select#490 lol

(css-what fix fb55/css-what@4cdaacf )

@jgunawancode
Copy link

jgunawancode commented Jul 8, 2021
edited
Loading

Isn't the issue stem from vue-cli-service has a dependency on "@intervolga/optimize-cssnano-plugin"? That library has dependencies that depends on old version of "css-what". That library also has not been updated for 3+ years, maybe vue-cli-service needs to remove dependency to "@intervolga/optimize-cssnano-plugin" and use any of the library below?

https://github.com/webpack-contrib/css-minimizer-webpack-plugin#readme
https://github.com/NMFR/optimize-css-assets-webpack-plugin

@HotchaiLLC
Copy link

For some reason, the security issue with css-what was gone in my environment...
How about you guys?

@alimony
Copy link

alimony commented Jul 20, 2021

@HotchaiLLC Not seeing this anymore, I guess some of the downstream dependencies were finally updated.

undergroundwires added a commit to undergroundwires/privacy.sexy that referenced this issue Aug 4, 2023
@undergroundwires
Audit only production dependencies
2a1282f 
Security checks have been failing for months due to Vue CLI dependencies
and lack of resolution from the developers. This commit makes auditing
ignore development dependencies.

The reasons include:

- Vulnerabilities in developer dependencies cause pipelines to fail
  on every run.
- This is caused by dependencies such that lack resolution from the
  developers. Vue developers consider `npm audit` broken design and do
  not prioritize solutions. Discussions: vuejs/vue-cli#6637,
  vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553,
  vuejs/vue-cli#6523, vuejs/vue-cli#6486.
- Development packages are not relevant for the production payload.
- False positives create behavior of ignoring them completely instead of
  taking action, which creates a security vulnerability itself.

`npm audit --omit=dev` is used instead of `npm audit --production` which
is deprecated as of npm v8.7.0 npm/cli#4744.
undergroundwires added a commit to undergroundwires/privacy.sexy that referenced this issue Aug 4, 2023
@undergroundwires
Audit only production dependencies
eeadfde 
Security checks have been failing for months due to Vue CLI dependencies
and lack of resolution from the developers. This commit makes auditing
ignore development dependencies.

The reasons include:

- Vulnerabilities in developer dependencies cause pipelines to fail
  on every run.
- This is caused by dependencies such that lack resolution from the
  developers. Vue developers consider `npm audit` broken design and do
  not prioritize solutions. Discussions: vuejs/vue-cli#6637,
  vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553,
  vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632.
- Development packages are not relevant for the production payload.
- False positives create behavior of ignoring them completely instead of
  taking action, which creates a security vulnerability itself.
- Failed tests are shown in a badge on README file, giving wrong picture
  of security posture of users.

`npm audit --omit=dev` is used instead of `npm audit --production` which
is deprecated as of npm v8.7.0 npm/cli#4744.
undergroundwires added a commit to undergroundwires/privacy.sexy that referenced this issue Aug 8, 2023
@undergroundwires
Fix failing security tests
40dcfa7 
This commit changes the behavior of auditing to audit only production
dependencies.

Security checks have been failing for months due to Vue CLI dependencies
and lack of resolution from the developers. This commit makes auditing
ignore development dependencies.

The reasons include:

- Vulnerabilities in developer dependencies cause pipelines to fail
  on every run.
- This is caused by dependencies such that lack resolution from the
  developers. Vue developers consider `npm audit` broken design and do
  not prioritize solutions. Discussions: vuejs/vue-cli#6637,
  vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553,
  vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632.
- Development packages are not relevant for the production payload.
- False positives create behavior of ignoring them completely instead of
  taking action, which creates a security vulnerability itself.
- Failed tests are shown in a badge on README file, giving wrong picture
  of security posture of users.

`npm audit --omit=dev` is used instead of `npm audit --production` which
is deprecated as of npm v8.7.0 npm/cli#4744.
undergroundwires added a commit to undergroundwires/privacy.sexy that referenced this issue Aug 8, 2023
@undergroundwires
Fix failing security tests
3ade1a3 
This commit changes the behavior of auditing to audit only production
dependencies.

Security checks have been failing for months due to Vue CLI dependencies
and lack of resolution from the developers. This commit makes auditing
ignore development dependencies.

The reasons include:

- Vulnerabilities in developer dependencies cause pipelines to fail
  on every run.
- This is caused by dependencies such that lack resolution from the
  developers. Vue developers consider `npm audit` broken design and do
  not prioritize solutions. Discussions: vuejs/vue-cli#6637,
  vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553,
  vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632.
- Development packages are not relevant for the production payload.
- False positives create behavior of ignoring them completely instead of
  taking action, which creates a security vulnerability itself.
- Failed tests are shown in a badge on README file, giving wrong picture
  of security posture of users.

`npm audit --omit=dev` is used instead of `npm audit --production` which
is deprecated as of npm v8.7.0 npm/cli#4744.
undergroundwires added a commit to undergroundwires/privacy.sexy that referenced this issue Aug 8, 2023
@undergroundwires
Fix failing security tests
3bc8da4 
This commit changes the behavior of auditing to audit only production
dependencies.

Security checks have been failing for months due to Vue CLI dependencies
and lack of resolution from the developers. This commit makes auditing
ignore development dependencies.

The reasons include:

- Vulnerabilities in developer dependencies cause pipelines to fail
  on every run.
- This is caused by dependencies such that lack resolution from the
  developers. Vue developers consider `npm audit` broken design and do
  not prioritize solutions. Discussions: vuejs/vue-cli#6637,
  vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553,
  vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632.
- Development packages are not relevant for the production payload.
- False positives create behavior of ignoring them completely instead of
  taking action, which creates a security vulnerability itself.
- Failed tests are shown in a badge on README file, giving wrong picture
  of security posture of users.

`npm audit --omit=dev` is used instead of `npm audit --production` which
is deprecated as of npm v8.7.0 npm/cli#4744.

This commit also removes exiting with output of `npm audit` command to
fix exiting with textual output, leading to failures.
LarrMarburger added a commit to LarrMarburger/privacy.sexy that referenced this issue Nov 16, 2023
@LarrMarburger @undergroundwires
Fix failing security tests
8bb9207 
This commit changes the behavior of auditing to audit only production
dependencies.

Security checks have been failing for months due to Vue CLI dependencies
and lack of resolution from the developers. This commit makes auditing
ignore development dependencies.

The reasons include:

- Vulnerabilities in developer dependencies cause pipelines to fail
  on every run.
- This is caused by dependencies such that lack resolution from the
  developers. Vue developers consider `npm audit` broken design and do
  not prioritize solutions. Discussions: vuejs/vue-cli#6637,
  vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553,
  vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632.
- Development packages are not relevant for the production payload.
- False positives create behavior of ignoring them completely instead of
  taking action, which creates a security vulnerability itself.
- Failed tests are shown in a badge on README file, giving wrong picture
  of security posture of users.

`npm audit --omit=dev` is used instead of `npm audit --production` which
is deprecated as of npm v8.7.0 npm/cli#4744.

This commit also removes exiting with output of `npm audit` command to
fix exiting with textual output, leading to failures.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests