Laravel-mix: Vulnerability found in Laravel Mix 2.0
- Laravel Mix Version: 2.0.0 (
npm list --depth=0) - Node Version (
node -v): v8.1.2 - NPM Version (
npm -v): 5.6.0 - OS: MacOS
Description:
Running nsp check gives this result:
(+) 1 vulnerability found
โโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ Prototype pollution attack โ
โโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Name โ hoek โ
โโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ CVSS โ 4 (Medium) โ
โโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Installed โ 2.16.3 โ
โโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Vulnerable โ <= 4.2.0 || >= 5.0.0 < 5.0.3 โ
โโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Patched โ > 4.2.0 < 5.0.0 || >= 5.0.3 โ
โโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Path โ xxxxxx@undefined > [email protected] > [email protected] > โ
โ โ [email protected] > [email protected] > [email protected] > [email protected] โ
โโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ More Info โ https://nodesecurity.io/advisories/566 โ
โโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
I just ran this because Github said:
We found potential security vulnerabilities in your dependencies.
Steps To Reproduce:
Install https://nodesecurity.io/opensource then run nsp check
rap2hpoutre
All 3 comments
Do I interpret this right? [email protected] is vulnerable? So it's essentially [email protected], then [email protected], then [email protected] (which won't be installed on linux systems), then [email protected] that is vulnerable and this is why mix is vulnerable?
Thanks for announcing this. Seriously. But shouldn't we report this to any of the involved libraries in the dependency chain in the first place?
tpraxl
on 19 Feb 2018
@tpraxl I think it's related to Mix because Mix requires chokidar to version 1.7.0 (see: https://github.com/JeffreyWay/laravel-mix/blob/master/package.json#L39) and chokidar is now in version 2.0.
So I think we could update to version 2.0 to fix the problem, but I don't know if there are breaking changes. I asked here: https://github.com/paulmillr/chokidar/issues/683 and if there is no breaking change I will submit a PR.
In other words, Mix is not vulnerable itself but it seems it relies on a vulnerable version of _something_.
_Still, I'm not sure about anything, I am sometimes lost in dependency hell._
rap2hpoutre
on 19 Feb 2018
@rap2hpoutre Thanks for the info and your engagement!
tpraxl
on 19 Feb 2018
Related issues
nezaboravi
ยท
3Comments
wendt88
ยท
3Comments
stefensuhat
ยท
3Comments
rlewkowicz
ยท
3Comments
RomainGoncalves
ยท
3Comments
Most helpful comment
@tpraxl I think it's related to Mix because
Mixrequireschokidarto version 1.7.0 (see: https://github.com/JeffreyWay/laravel-mix/blob/master/package.json#L39) and chokidar is now in version 2.0.So I think we could update to version 2.0 to fix the problem, but I don't know if there are breaking changes. I asked here: https://github.com/paulmillr/chokidar/issues/683 and if there is no breaking change I will submit a PR.
In other words, Mix is not vulnerable itself but it seems it relies on a vulnerable version of _something_.
_Still, I'm not sure about anything, I am sometimes lost in dependency hell._