Potential vulnerability introduced in @vue/cli-service #6621
Comments
|
It's not a real vulnerability for Vue CLI projects. |
undergroundwires
added a commit
to undergroundwires/privacy.sexy
that referenced
this issue
Aug 4, 2023
Security checks have been failing for months due to Vue CLI dependencies and lack of resolution from the developers. This commit makes auditing ignore development dependencies. The reasons include: - Vulnerabilities in developer dependencies cause pipelines to fail on every run. - This is caused by dependencies such that lack resolution from the developers. Vue developers consider `npm audit` broken design and do not prioritize solutions. Discussions: vuejs/vue-cli#6637, vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553, vuejs/vue-cli#6523, vuejs/vue-cli#6486. - Development packages are not relevant for the production payload. - False positives create behavior of ignoring them completely instead of taking action, which creates a security vulnerability itself. `npm audit --omit=dev` is used instead of `npm audit --production` which is deprecated as of npm v8.7.0 npm/cli#4744.
undergroundwires
added a commit
to undergroundwires/privacy.sexy
that referenced
this issue
Aug 4, 2023
Security checks have been failing for months due to Vue CLI dependencies and lack of resolution from the developers. This commit makes auditing ignore development dependencies. The reasons include: - Vulnerabilities in developer dependencies cause pipelines to fail on every run. - This is caused by dependencies such that lack resolution from the developers. Vue developers consider `npm audit` broken design and do not prioritize solutions. Discussions: vuejs/vue-cli#6637, vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553, vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632. - Development packages are not relevant for the production payload. - False positives create behavior of ignoring them completely instead of taking action, which creates a security vulnerability itself. - Failed tests are shown in a badge on README file, giving wrong picture of security posture of users. `npm audit --omit=dev` is used instead of `npm audit --production` which is deprecated as of npm v8.7.0 npm/cli#4744.
undergroundwires
added a commit
to undergroundwires/privacy.sexy
that referenced
this issue
Aug 8, 2023
This commit changes the behavior of auditing to audit only production dependencies. Security checks have been failing for months due to Vue CLI dependencies and lack of resolution from the developers. This commit makes auditing ignore development dependencies. The reasons include: - Vulnerabilities in developer dependencies cause pipelines to fail on every run. - This is caused by dependencies such that lack resolution from the developers. Vue developers consider `npm audit` broken design and do not prioritize solutions. Discussions: vuejs/vue-cli#6637, vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553, vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632. - Development packages are not relevant for the production payload. - False positives create behavior of ignoring them completely instead of taking action, which creates a security vulnerability itself. - Failed tests are shown in a badge on README file, giving wrong picture of security posture of users. `npm audit --omit=dev` is used instead of `npm audit --production` which is deprecated as of npm v8.7.0 npm/cli#4744.
undergroundwires
added a commit
to undergroundwires/privacy.sexy
that referenced
this issue
Aug 8, 2023
This commit changes the behavior of auditing to audit only production dependencies. Security checks have been failing for months due to Vue CLI dependencies and lack of resolution from the developers. This commit makes auditing ignore development dependencies. The reasons include: - Vulnerabilities in developer dependencies cause pipelines to fail on every run. - This is caused by dependencies such that lack resolution from the developers. Vue developers consider `npm audit` broken design and do not prioritize solutions. Discussions: vuejs/vue-cli#6637, vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553, vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632. - Development packages are not relevant for the production payload. - False positives create behavior of ignoring them completely instead of taking action, which creates a security vulnerability itself. - Failed tests are shown in a badge on README file, giving wrong picture of security posture of users. `npm audit --omit=dev` is used instead of `npm audit --production` which is deprecated as of npm v8.7.0 npm/cli#4744.
undergroundwires
added a commit
to undergroundwires/privacy.sexy
that referenced
this issue
Aug 8, 2023
This commit changes the behavior of auditing to audit only production dependencies. Security checks have been failing for months due to Vue CLI dependencies and lack of resolution from the developers. This commit makes auditing ignore development dependencies. The reasons include: - Vulnerabilities in developer dependencies cause pipelines to fail on every run. - This is caused by dependencies such that lack resolution from the developers. Vue developers consider `npm audit` broken design and do not prioritize solutions. Discussions: vuejs/vue-cli#6637, vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553, vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632. - Development packages are not relevant for the production payload. - False positives create behavior of ignoring them completely instead of taking action, which creates a security vulnerability itself. - Failed tests are shown in a badge on README file, giving wrong picture of security posture of users. `npm audit --omit=dev` is used instead of `npm audit --production` which is deprecated as of npm v8.7.0 npm/cli#4744. This commit also removes exiting with output of `npm audit` command to fix exiting with textual output, leading to failures.
LarrMarburger
added a commit
to LarrMarburger/privacy.sexy
that referenced
this issue
Nov 16, 2023
This commit changes the behavior of auditing to audit only production dependencies. Security checks have been failing for months due to Vue CLI dependencies and lack of resolution from the developers. This commit makes auditing ignore development dependencies. The reasons include: - Vulnerabilities in developer dependencies cause pipelines to fail on every run. - This is caused by dependencies such that lack resolution from the developers. Vue developers consider `npm audit` broken design and do not prioritize solutions. Discussions: vuejs/vue-cli#6637, vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553, vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632. - Development packages are not relevant for the production payload. - False positives create behavior of ignoring them completely instead of taking action, which creates a security vulnerability itself. - Failed tests are shown in a badge on README file, giving wrong picture of security posture of users. `npm audit --omit=dev` is used instead of `npm audit --production` which is deprecated as of npm v8.7.0 npm/cli#4744. This commit also removes exiting with output of `npm audit` command to fix exiting with textual output, leading to failures.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi, @sodatea @fangbinwei,
Issue Description
I noticed that a vulnerability is introduced in @vue/cli-service@4.5.13:
Vulnerability SNYK-JS-EJS-1049328 affects package ejs (versions:<3.1.6): https://snyk.io/vuln/SNYK-JS-EJS-1049328
The above vulnerable package is referenced by @vue/cli-service@4.5.13 via:
@vue/cli-service@4.5.13 ➔ webpack-bundle-analyzer@3.9.0 ➔ ejs@2.7.4Since @vue/cli-service@4.5.13 (317,225 downloads per week) is referenced by 145 downstream projects (e.g.,@iez/core 3.0.6 (latest version), @ditojs/server 0.259.0 (latest version), radiate-framework 4.4.1 (latest version), @quasiris/qsc-data-table 1.3.3 (latest version)), the vulnerability https://snyk.io/vuln/SNYK-JS-EJS-1049328 can be propagated into these downstream projects and expose security threats to them via the following package dependency paths:
(1)
@quasiris/qsc-data-table@1.3.3 ➔ @vue/cli-service-global@4.5.13 ➔ @vue/cli-service@4.5.13 ➔ webpack-bundle-analyzer@3.9.0 ➔ ejs@2.7.4......
If @vue/cli-service@4.5.13 removes the vulnerable package from the above version, then its fixed version can help downstream users decrease their pain.
Given the large number of downstream users, could you help update your package to remove the vulnerability from @vue/cli-service@4.5.13 ?
Fixing suggestions
In @vue/cli-service@4.5.14, you can kindly perform the following upgrade :
webpack-bundle-analyzer ^3.8.0 ➔ ^4.0.0;Note:
webpack-bundle-analyzer@4.0.0(>=4.0.0) directly depends on ejs@3.1.6 which has fixed the vulnerability (https://snyk.io/vuln/SNYK-JS-EJS-1049328)
Of course, you are welcome to share other ways to resolve the issue.
Thank you for your attention to this issue.
Best regards,
Vincentsum ^_^
The text was updated successfully, but these errors were encountered: