Laravel-mix: Update webpack-dev-server (high severity vulnerability detected)

Created on 7 Nov 2018 · 15Comments · Source: JeffreyWay/laravel-mix

Laravel Mix Version: 2.1.14 (npm list --depth=0)
Node Version (node -v): 8.11.3
NPM Version (npm -v): 6.4.1
OS: OS X High Sierra

Description:

Please, update webpack-dev-server dependency. There is a high severity vulnerability https://nodesecurity.io/advisories/725

Steps To Reproduce:

Source

rcovar00

👍53

Most helpful comment

Handled this in #1815.

subotkevic on 11 Nov 2018

👍6 🎉4

All 15 comments

Just came across this too.

Laravel Mix Version 2.1.14
Node Version: 8.12.0
NPM Version: 6.4.1
OS: Windows 10, version 1803

JSn1nj4 on 8 Nov 2018

Handled this in #1815.

subotkevic on 11 Nov 2018

👍6 🎉4

Is there any plans to merge the update ?

lukadriel7 on 14 Nov 2018

Well, we're missing @JeffreyWay's activity. Probably we just need to wait a little.

subotkevic on 14 Nov 2018

👍1

Looks like #1815 isn't the fix ?

tpw1314 on 19 Nov 2018

It is. Just not merged yet.

subotkevic on 19 Nov 2018

That’s it. #1815 merged.

subotkevic on 19 Nov 2018

👍2

@subotkevic Any idea how we can install the latest version with the fix?

In package.json we have "laravel-mix": "^2.1.14" and when we run npm install laravel-mix --save-dev, it's still the old webpack-dev-server version that's installed that has the security issue reported here, not the new fixed version one in your commit.

MovingGifts on 19 Nov 2018

👍3

@MovingGifts unfortunately this is not yet included in the new laravel-mix release. It has been merged, but not released yet.

Maybe, @JeffreyWay will do this any time soon?

There's a workaround to install laravel-mix directly from master branch, but I'm not recommending doing that:
npm install JeffreyWay/laravel-mix#master

I suggest you all to wait for the official release to do this in proper way.

subotkevic on 19 Nov 2018

👍2

@subotkevic Thank you for the speedy response.

Hopefully @JeffreyWay can release it to npm soon and let us know here 👍

Thank you both!

MovingGifts on 19 Nov 2018

The issue is webpack-dev-server 3 is exclusive to webpack 4 and up, which we don't yet support.

JeffreyWay on 19 Nov 2018

👍1

@JeffreyWay so what is the recommended approach for now to ensure it's secure?

Is npm install JeffreyWay/laravel-mix#master the only way?

MovingGifts on 19 Nov 2018

Unless I am mistaken, the vulnerability only affects non-production environment because it has to do with sniffing the Hot Module Replacement websocket port. If my understanding is correct, you would not be running HMR in prod.

The link above in the original issue post shows greater detail: https://nodesecurity.io/advisories/725

This means an exploit of this vulnerability would involve someone downloading your code by navigating to your dev machine's IP address with the correct port. If external traffic cannot reach your machine on that port, then you would not be vulnerable. A decent stopgap might be to limit traffic to localhost only. If your code is hosted in some advanced CI/CD pipeline, you could restrict traffic to a known safelist of IPs on that port.

I don't know for sure; I am just speculating, so just make sure before you take any actions. I don't want to be responsible for said ideas.

agm1984 on 21 Nov 2018

👍5

It's not a really good idea either but you can always temporary
npm set audit false to disable audit completely. Don't forget to set it back to true once a proper release will be provided.