Laravel-mix: Laravel Mix Vulnerability from npm audit

Created on 15 May 2020 · 7Comments · Source: JeffreyWay/laravel-mix

Laravel Mix Version: 5.0.4
Node Version: v10.15.3
NPM Version: 6.14.2
OS: macOS 10.13.4

Description:

When I update laravel-mix and npm-audit I found this warnings:

Screen Shot 2020-05-15 at 1 59 36 PM

Source

marvz73

👍19 😕3

Most helpful comment

This has been fixed with the release of 5.0.5 which updates yargs to v15 :)

G-Rath on 21 Aug 2020

👍2 ❤1

All 7 comments

Having the same issue

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ http-proxy │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ No patch available │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ laravel-mix [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ laravel-mix > webpack-dev-server > http-proxy-middleware > │
│ │ http-proxy │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1486 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ laravel-mix [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ laravel-mix > yargs > yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1500 │
└───────────────┴──────────────────────────────────────────

locphan57910 on 16 May 2020

I have the same issue about NPM Vulnerability from NPM Audit

                   === npm audit security report ===

Run npm update mkdirp --depth 8 to resolve 1 vulnerability

Low Prototype Pollution

Package minimist

Dependency of laravel-mix

Path laravel-mix > webpack-cli > @webpack-cli/init >
@webpack-cli/generators > webpack > terser-webpack-plugin >
cacache > mkdirp > minimist

More info https://npmjs.com/advisories/1179

                             Manual Review                                  
         Some vulnerabilities require your attention to resolve             

      Visit https://go.npm.me/audit-guide for additional guidance

Low Prototype Pollution

Package minimist

Patched in >=0.2.1 <1.0.0 || >=1.2.3

Dependency of laravel-mix

Path laravel-mix > webpack-cli > @webpack-cli/init >
@webpack-cli/generators > glob-all > yargs > minimist

More info https://npmjs.com/advisories/1179

Low Prototype Pollution

Package minimist

Patched in >=0.2.1 <1.0.0 || >=1.2.3

Dependency of laravel-mix

Path laravel-mix > webpack-cli > @webpack-cli/init >
@webpack-cli/generators > mkdirp > minimist

More info https://npmjs.com/advisories/1179

High Denial of Service

Package http-proxy

Patched in No patch available

Dependency of laravel-mix

Path laravel-mix > webpack-cli > @webpack-cli/init >
@webpack-cli/generators > webpack-dev-server >
http-proxy-middleware > http-proxy

More info https://npmjs.com/advisories/1486

High Denial of Service

Package http-proxy

Patched in No patch available

Dependency of laravel-mix

Path laravel-mix > webpack-dev-server > http-proxy-middleware >
http-proxy

More info https://npmjs.com/advisories/1486

Low Prototype Pollution

Package yargs-parser

Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2

Dependency of laravel-mix

Path laravel-mix > webpack-cli > @webpack-cli/init >
@webpack-cli/generators > webpack-dev-server > yargs >
yargs-parser

More info https://npmjs.com/advisories/1500

maxindweb on 16 May 2020

Facing the same issue, any update on the fix?

anilkreddy on 4 Jul 2020

same here
Path │ laravel-mix > yargs > yargs-parser

found 1 low severity vulnerability

PatricNox on 19 Jul 2020

while of course any "vulnerability" should be fixed, in my experience so far most of the things flagged by npm audit arent really relevant when you are just using webpack.

eg the original high severity issue that this issue was raised for, if you actually look at the message it is saying there is a dependency of webpack dev server that makes it vulnerable to denial of service attacks. unless you are running webpack dev server in production then that is no issue.

if you were running a node server in production and it was using that sane dependency then it would be more important to fix

rs-sliske on 19 Jul 2020

Naturally same issue here. Even if I install separate yargs@19 laravel-mix does not use it. :/
It would be great if somebody would update the dependencies of the package.

I wouldn't mind if I was building projects for myself with deprecated or vulnerable packages, but a client is always right and if it said he doesn't want vulnerable packages, devs have to obey.