Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

glob-parent vulnerability issue with with @vue/cli-service@4.5.13 #6553

Closed
mtermoul opened this issue Jun 29, 2021 · 6 comments
Closed

glob-parent vulnerability issue with with @vue/cli-service@4.5.13 #6553

mtermoul opened this issue Jun 29, 2021 · 6 comments

Comments

@mtermoul
Copy link

mtermoul commented Jun 29, 2021

Screen Shot 2021-06-29 at 1 39 14 PM

Screen Shot 2021-06-29 at 1 39 54 PM

### Version 4.5.13

Environment info

System:
    OS: macOS Mojave 10.14.6
    CPU: (12) x64 Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz
  Binaries:
    Node: 10.16.0 - /usr/local/bin/node
    Yarn: Not Found
    npm: 7.11.1 - /usr/local/bin/npm
  Browsers:
    Chrome: 91.0.4472.114
    Edge: Not Found
    Firefox: 88.0.1
    Safari: 13.1
npmPackages:
    @casl/vue: ^1.2.2 => 1.2.2 
    @vue/babel-helper-vue-jsx-merge-props:  1.2.1 
    @vue/babel-helper-vue-transform-on:  1.0.2 
    @vue/babel-plugin-jsx:  1.0.6 
    @vue/babel-plugin-transform-vue-jsx:  1.2.1 
    @vue/babel-preset-app:  4.5.13 
    @vue/babel-preset-jsx:  1.2.4 
    @vue/babel-sugar-composition-api-inject-h:  1.2.1 
    @vue/babel-sugar-composition-api-render-instance:  1.2.4 
    @vue/babel-sugar-functional-vue:  1.2.2 
    @vue/babel-sugar-inject-h:  1.2.2 
    @vue/babel-sugar-v-model:  1.2.3 
    @vue/babel-sugar-v-on:  1.2.3 
    @vue/cli-overlay:  4.5.13 
    @vue/cli-plugin-babel: ~4.5.13 => 4.5.13 
    @vue/cli-plugin-e2e-cypress: ~4.5.0 => 4.5.13 
    @vue/cli-plugin-eslint: ^3.1.1 => 3.1.1 
    @vue/cli-plugin-router:  4.5.13 
    @vue/cli-plugin-unit-jest: ^4.5.13 => 4.5.13 
    @vue/cli-plugin-vuex:  4.5.13 
    @vue/cli-service: ^4.5.13 => 4.5.13 
    @vue/cli-shared-utils:  4.5.13 (3.12.1)
    @vue/component-compiler-utils:  3.2.2 
    @vue/eslint-config-prettier: ^6.0.0 => 6.0.0 
    @vue/preload-webpack-plugin:  1.1.2 
    @vue/web-component-wrapper:  1.3.0 
    eslint-plugin-vue: ^6.2.2 => 6.2.2 (4.7.1)
    jest-serializer-vue:  2.0.2 
    vue: ^2.6.11 => 2.6.14 
    vue-chartjs: ^3.4.2 => 3.5.1 
    vue-cli-plugin-vuetify: ^2.0.5 => 2.4.1 
    vue-eslint-parser:  7.6.0 (2.0.3)
    vue-hot-reload-api:  2.3.4 
    vue-jest:  3.0.7 
    vue-json-excel: ^0.2.98 => 0.2.99 
    vue-loader:  15.9.7 (16.2.0)
    vue-router: ^3.1.6 => 3.5.2 
    vue-style-loader:  4.1.3 
    vue-template-compiler: ^2.6.11 => 2.6.14 
    vue-template-es2015-compiler:  1.9.1 
    vue-the-mask: ^0.11.1 => 0.11.1 
    vuetify: ~2.4.0 => 2.4.11 
    vuetify-loader: ^1.3.0 => 1.7.2 
    vuex: ^3.1.3 => 3.6.2 
  npmGlobalPackages:
    @vue/cli: 4.5.13

Steps to reproduce

npm audit

What is expected?

@vue/cli-service should depend on glob-parent version 5.1.2 or higher

What is actually happening?

npm audit is saying that
\glob-parent <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751

@alimony
Copy link

alimony commented Jul 16, 2021

webpack stopped depending on a vulnerable version of watchpack in version 5.38: https://github.com/webpack/webpack/releases/tag/v5.38.0 Before that it used watchpack 2.0.0 that used chokidar, in version 2.2.0 they switched over to native listeners.

@dosstx
Copy link

dosstx commented Jul 21, 2021

Can someone explain the above to me? Then, how do I fix this issue?

@Tofandel
Copy link

Tofandel commented Jul 23, 2021

By switching to @vue/cli-service^5.0.0-beta.2 and latest webpack... None of the vulnerability matter anyways unless you're running a node-js server with those packages. So it might matter if using nuxt

@N1GHTR4NG3R
Copy link

Can you explain how too switch please.

Currently I have just re-installed Vue, and am getting 9 Moderate security risks, All of which are Regular expression denial of service which are dependencies of the following:

@vue/cli-plugin-eslint [dev]
@vue/cli-plugin-typescript [dev]
@vue/cli-service [dev]
With the path pointing too chokidar.

Then the same again but the path pointing too glob-parent.

I also have 3 node-sass High Priority errors with node-sass relating to issue #6467

In regards to running a node-js server, There is an awful lot of people that run node-js servers, so saying it doesn't matter isn't true.

@haoqunjiang
Copy link
Member

https://overreacted.io/npm-audit-broken-by-design/

NPM audit is broken. This is not a real vulnerability in almost every use case of Vue CLI. So I'm closing this issue.

@dosstx
Copy link

dosstx commented Aug 13, 2021

@Tricky-Ricky I fixed it by simply updating vue cli to latest 4x version (I didn't update to 5x).

If there are still some threats, you can also do an 'npm force resolutions' hot fix .

I agree with @sodatea about npm being broken, but it's impossible to convince security teams that and we often can't simply dimiss it. This is nothing against Vue-CLI, it's just the sad state of affairs when using npm audit.

soumitradev added a commit to soumitradev/dwitter-go-api that referenced this issue Nov 30, 2021
First of all, this happened: https://i.imgur.com/a3yGb2P.png

And then as I try to resolve it, I end up at this: vuejs/vue-cli#6553 (comment)

If you're someone exploiting this vulnerability for some reason, and you can, go for it.

At this point, I'm just too lazy to fix this shit, and so is Vue's dev team. You deserve this one. Congrats.
undergroundwires added a commit to undergroundwires/privacy.sexy that referenced this issue Aug 4, 2023
Security checks have been failing for months due to Vue CLI dependencies
and lack of resolution from the developers. This commit makes auditing
ignore development dependencies.

The reasons include:

- Vulnerabilities in developer dependencies cause pipelines to fail
  on every run.
- This is caused by dependencies such that lack resolution from the
  developers. Vue developers consider `npm audit` broken design and do
  not prioritize solutions. Discussions: vuejs/vue-cli#6637,
  vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553,
  vuejs/vue-cli#6523, vuejs/vue-cli#6486.
- Development packages are not relevant for the production payload.
- False positives create behavior of ignoring them completely instead of
  taking action, which creates a security vulnerability itself.

`npm audit --omit=dev` is used instead of `npm audit --production` which
is deprecated as of npm v8.7.0 npm/cli#4744.
undergroundwires added a commit to undergroundwires/privacy.sexy that referenced this issue Aug 4, 2023
Security checks have been failing for months due to Vue CLI dependencies
and lack of resolution from the developers. This commit makes auditing
ignore development dependencies.

The reasons include:

- Vulnerabilities in developer dependencies cause pipelines to fail
  on every run.
- This is caused by dependencies such that lack resolution from the
  developers. Vue developers consider `npm audit` broken design and do
  not prioritize solutions. Discussions: vuejs/vue-cli#6637,
  vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553,
  vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632.
- Development packages are not relevant for the production payload.
- False positives create behavior of ignoring them completely instead of
  taking action, which creates a security vulnerability itself.
- Failed tests are shown in a badge on README file, giving wrong picture
  of security posture of users.

`npm audit --omit=dev` is used instead of `npm audit --production` which
is deprecated as of npm v8.7.0 npm/cli#4744.
undergroundwires added a commit to undergroundwires/privacy.sexy that referenced this issue Aug 8, 2023
This commit changes the behavior of auditing to audit only production
dependencies.

Security checks have been failing for months due to Vue CLI dependencies
and lack of resolution from the developers. This commit makes auditing
ignore development dependencies.

The reasons include:

- Vulnerabilities in developer dependencies cause pipelines to fail
  on every run.
- This is caused by dependencies such that lack resolution from the
  developers. Vue developers consider `npm audit` broken design and do
  not prioritize solutions. Discussions: vuejs/vue-cli#6637,
  vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553,
  vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632.
- Development packages are not relevant for the production payload.
- False positives create behavior of ignoring them completely instead of
  taking action, which creates a security vulnerability itself.
- Failed tests are shown in a badge on README file, giving wrong picture
  of security posture of users.

`npm audit --omit=dev` is used instead of `npm audit --production` which
is deprecated as of npm v8.7.0 npm/cli#4744.
undergroundwires added a commit to undergroundwires/privacy.sexy that referenced this issue Aug 8, 2023
This commit changes the behavior of auditing to audit only production
dependencies.

Security checks have been failing for months due to Vue CLI dependencies
and lack of resolution from the developers. This commit makes auditing
ignore development dependencies.

The reasons include:

- Vulnerabilities in developer dependencies cause pipelines to fail
  on every run.
- This is caused by dependencies such that lack resolution from the
  developers. Vue developers consider `npm audit` broken design and do
  not prioritize solutions. Discussions: vuejs/vue-cli#6637,
  vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553,
  vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632.
- Development packages are not relevant for the production payload.
- False positives create behavior of ignoring them completely instead of
  taking action, which creates a security vulnerability itself.
- Failed tests are shown in a badge on README file, giving wrong picture
  of security posture of users.

`npm audit --omit=dev` is used instead of `npm audit --production` which
is deprecated as of npm v8.7.0 npm/cli#4744.
undergroundwires added a commit to undergroundwires/privacy.sexy that referenced this issue Aug 8, 2023
This commit changes the behavior of auditing to audit only production
dependencies.

Security checks have been failing for months due to Vue CLI dependencies
and lack of resolution from the developers. This commit makes auditing
ignore development dependencies.

The reasons include:

- Vulnerabilities in developer dependencies cause pipelines to fail
  on every run.
- This is caused by dependencies such that lack resolution from the
  developers. Vue developers consider `npm audit` broken design and do
  not prioritize solutions. Discussions: vuejs/vue-cli#6637,
  vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553,
  vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632.
- Development packages are not relevant for the production payload.
- False positives create behavior of ignoring them completely instead of
  taking action, which creates a security vulnerability itself.
- Failed tests are shown in a badge on README file, giving wrong picture
  of security posture of users.

`npm audit --omit=dev` is used instead of `npm audit --production` which
is deprecated as of npm v8.7.0 npm/cli#4744.

This commit also removes exiting with output of `npm audit` command to
fix exiting with textual output, leading to failures.
LarrMarburger added a commit to LarrMarburger/privacy.sexy that referenced this issue Nov 16, 2023
This commit changes the behavior of auditing to audit only production
dependencies.

Security checks have been failing for months due to Vue CLI dependencies
and lack of resolution from the developers. This commit makes auditing
ignore development dependencies.

The reasons include:

- Vulnerabilities in developer dependencies cause pipelines to fail
  on every run.
- This is caused by dependencies such that lack resolution from the
  developers. Vue developers consider `npm audit` broken design and do
  not prioritize solutions. Discussions: vuejs/vue-cli#6637,
  vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553,
  vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632.
- Development packages are not relevant for the production payload.
- False positives create behavior of ignoring them completely instead of
  taking action, which creates a security vulnerability itself.
- Failed tests are shown in a badge on README file, giving wrong picture
  of security posture of users.

`npm audit --omit=dev` is used instead of `npm audit --production` which
is deprecated as of npm v8.7.0 npm/cli#4744.

This commit also removes exiting with output of `npm audit` command to
fix exiting with textual output, leading to failures.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants