Laravel-mix: Vulnerability in laravel-mix

Created on 17 Mar 2020  ยท  10Comments  ยท  Source: JeffreyWay/laravel-mix
  • Laravel Mix Version: 4.0.7 (But I checked master and the dependency is still the same)
  • Node Version 10.13.0
  • NPM Version 6.4.1
  • OS: Centos

Description:

I know this is not your fault but this is something to keep in mind.
There's nested dependency called set-value with a vulnerability. The dependency tree looks like this.

โ”œโ”€โ”ฌ [email protected]
โ”‚ โ””โ”€โ”ฌ [email protected]
โ”‚ โ””โ”€โ”ฌ [email protected]
โ”‚ โ””โ”€โ”ฌ [email protected]
โ”‚ โ””โ”€โ”ฌ [email protected]
โ”‚ โ””โ”€โ”ฌ [email protected]
โ”‚ โ”œโ”€โ”€ [email protected]
โ”‚ โ””โ”€โ”ฌ [email protected]
โ”‚ โ””โ”€โ”€ [email protected]

The vulnerability is this one
https://nvd.nist.gov/vuln/detail/CVE-2019-10747

Might be all is needed is to update chokidar? Chokidar uses a 3.0.2 version of braces which looks like doesn't depend on snapdragon anymore?

picture mwleinad

Most helpful comment

Chokidar 2 is giving warnings of breakage with Node 14+, so another reason to do this.

warning laravel-mix > webpack > watchpack > watchpack-chokidar2 > [email protected]: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.

picture roddypratt on 30 Jul 2020
👍4

All 10 comments

Getting this in a production environment on latest release.

Stokoe0990 picture Stokoe0990 on 18 Mar 2020

Seems to be a duplicate of #2350, but this issue is better formatted.

Stokoe0990 picture Stokoe0990 on 19 Mar 2020

@Stokoe0990 any update on this? What version is this fix expected to be on?

sibenye picture sibenye on 26 Apr 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] picture stale[bot] on 26 Jun 2020

This issue still persists.

jbardnz picture jbardnz on 26 Jun 2020

@JeffreyWay Any plans to address this vulnerability?

The dependency fix was released over a year ago (19 Jun 2019)

As @mwleinad said in the top comment:

Might be all is needed is to update chokidar? Chokidar uses a 3.0.2 version of braces which looks like doesn't depend on snapdragon anymore?

bradydan picture bradydan on 29 Jul 2020
👍3

Chokidar 2 is giving warnings of breakage with Node 14+, so another reason to do this.

warning laravel-mix > webpack > watchpack > watchpack-chokidar2 > [email protected]: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.

roddypratt picture roddypratt on 30 Jul 2020
👍4

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] picture stale[bot] on 29 Sep 2020

Bump

bradydan picture bradydan on 29 Sep 2020

Looks like this is resolved in the 6.0 prerelease which requires Webpack 5.

roddypratt picture roddypratt on 29 Sep 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

amin101 picture amin101  ยท  3Comments
stefensuhat picture stefensuhat  ยท  3Comments
dtheb picture dtheb  ยท  3Comments
mstralka picture mstralka  ยท  3Comments
hasnatbabur picture hasnatbabur  ยท  3Comments