laravel-mix (Critical, Command Injection, macaddress)

Created on 21 May 2018 · 5Comments · Source: JeffreyWay/laravel-mix

Laravel Mix Version: 2.1.11
Node Version: v8.1.3
NPM Version: 6.0.1
OS: Debian 6

Description:

# npm install
npm WARN [email protected] requires a peer of eslint@>=5.0.0-alpha.2 but none is installed. You must install peer dependencies yourself.
npm WARN [email protected] requires a peer of webpack@^4.4.0 but none is installed. You must install peer dependencies yourself.
npm WARN [email protected] requires a peer of webpack@^4.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: [email protected] (node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for [email protected]: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})

up to date in 20.926s
[!] 103 vulnerabilities found [29692 packages audited]
    Severity: 31 Low | 65 Moderate | 6 High | 1 Critical
    Run `npm audit` for more detail

# npm audit
[...]
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Command Injection                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ macaddress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ laravel-mix [dev]                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ laravel-mix > css-loader > cssnano > postcss-filter-plugins  │
│               │ > uniqid > macaddress                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/654                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

[!] 103 vulnerabilities found - Packages audited: 29692 (29572 dev, 1349 optional)
    Severity: 31 Low | 65 Moderate | 6 High | 1 Critical

Steps To Reproduce:

# npm install
# npm audit

Source

JsonDeveloper

😕2

Most helpful comment

Who is using laravel-mix on production server?

PS
Laravel mix is tend to be used on local machine or on a CI server. We are NOT going to deploy node_modules folder along with php application.

ankurk91 on 22 May 2018

👎4 😄1 👍1

All 5 comments

Who is using laravel-mix on production server?

PS
Laravel mix is tend to be used on local machine or on a CI server. We are NOT going to deploy node_modules folder along with php application.

ankurk91 on 22 May 2018

👎4 😄1 👍1

No one uses laravel mix on a production server - but are we sure these warnings do not also affect the minified production code?

While I use the same dev environment as @IvanDanilov (on a mac) and I certainly do not publish anything in production other than the minified code, I cannot tell whether the NPM advisories would also apply to the end result code? Laravel Mix has a lot of older dependencies - all of the high and critical advisories I just saw when I ran the update (btw - identical as the OP) emanate from Laravel Mix's dependency on an older Webpack version - or they seem to.

Are you _sure_ that the minified code contains none of these vulnerabilities? (If you are and have some cite to something that would help me understand how the minification process eliminates these vulnerabilities I would like to read that).

OliverGrimsley on 24 May 2018

Well, I kind of agree with the comment made in the npm repo.

Issues of any severity should really be fixed, the severity of a vulnerability assessment should only serve to prioritize the fixes; for example, it would be reasonable to list vulnerabilities with the highest severity first or last, if that's not already being done.

So even though this _should_/_must_ be used only in development, this is not something that should be ignored. It would benefit the whole node community if all these issues are fixed.

In comparison, the create-react-native-scripts package has a somewhat comparable functionality, maybe even more. There only 5 issues (low and medium) issues are reported. I think its safe to say that its quite remarkable that this library contains ±20x the amount of security issues...