Vue-cli: Security: found 6 vulnerabilities (1 low, 4 high, 1 critical) in 37738 scanned packages

Created on 7 Jan 2019  Â·  7Comments  Â·  Source: vuejs/vue-cli

Version

3.2.3

Reproduction link

https://github.com/peterennis/aeicons-vue

Environment info

C:\ae\adaept.com\aeicons-vue>vue info

Environment Info:

  System:
    OS: Windows 10
    CPU: (4) x64 Intel(R) Core(TM) i7-3540M CPU @ 3.00GHz
  Binaries:
    Node: 10.14.2 - C:\Program Files\nodejs\node.EXE
    Yarn: Not Found
    npm: 6.4.1 - C:\Program Files\nodejs\npm.CMD
  Browsers:
    Edge: 44.17763.1.0
  npmPackages:
    @vue/cli-overlay:  3.2.0
    @vue/cli-plugin-e2e-nightwatch: ^3.2.0 => 3.2.2
    @vue/cli-plugin-eslint: ^3.2.0 => 3.2.2
    @vue/cli-plugin-pwa: ^3.2.0 => 3.2.2
    @vue/cli-plugin-typescript: ^3.2.0 => 3.2.2
    @vue/cli-plugin-unit-jest: ^3.2.0 => 3.2.3
    @vue/cli-service: ^3.2.0 => 3.2.3
    @vue/cli-shared-utils:  3.2.2
    @vue/component-compiler-utils:  2.4.0
    @vue/eslint-config-prettier: ^4.0.1 => 4.0.1
    @vue/eslint-config-typescript: ^3.2.0 => 3.2.0
    @vue/preload-webpack-plugin:  1.1.0
    @vue/test-utils: ^1.0.0-beta.20 => 1.0.0-beta.28
    @vue/web-component-wrapper:  1.2.0
    eslint-plugin-vue: ^5.0.0 => 5.1.0
    jest-serializer-vue:  2.0.2
    vue: ^2.5.21 => 2.5.21
    vue-class-component: ^6.0.0 => 6.3.2
    vue-eslint-parser:  2.0.3
    vue-hot-reload-api:  2.3.1
    vue-jest:  3.0.2
    vue-loader:  15.5.0
    vue-property-decorator: ^7.0.0 => 7.2.0
    vue-style-loader:  4.1.2
    vue-template-compiler: ^2.5.21 => 2.5.21
    vue-template-es2015-compiler:  1.6.0
  npmGlobalPackages:
    @vue/cli: Not Found


C:\ae\adaept.com\aeicons-vue>

Steps to reproduce

Create project with the relevant selections

What is expected?

No security errors

What is actually happening?

npm audit shows security errors
npm audit fix cannot fix

C:\ae\adaept.com\aeicons-vue>npm audit

                   === npm audit security report ===


                             Manual Review
         Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance

Critical Command Injection

Package growl

Patched in >=1.10.2

Dependency of @vue/cli-plugin-e2e-nightwatch [dev]

Path @vue/cli-plugin-e2e-nightwatch > nightwatch >
mocha-nightwatch > growl

More info https://nodesecurity.io/advisories/146

High Denial of Service

Package http-proxy-agent

Patched in >=2.1.0

Dependency of @vue/cli-plugin-e2e-nightwatch [dev]

Path @vue/cli-plugin-e2e-nightwatch > nightwatch > proxy-agent >
http-proxy-agent

More info https://nodesecurity.io/advisories/607

High Denial of Service

Package http-proxy-agent

Patched in >=2.1.0

Dependency of @vue/cli-plugin-e2e-nightwatch [dev]

Path @vue/cli-plugin-e2e-nightwatch > nightwatch > proxy-agent >
pac-proxy-agent > http-proxy-agent

More info https://nodesecurity.io/advisories/607

High Denial of Service

Package https-proxy-agent

Patched in >=2.2.0

Dependency of @vue/cli-plugin-e2e-nightwatch [dev]

Path @vue/cli-plugin-e2e-nightwatch > nightwatch > proxy-agent >
https-proxy-agent

More info https://nodesecurity.io/advisories/593

High Denial of Service

Package https-proxy-agent

Patched in >=2.2.0

Dependency of @vue/cli-plugin-e2e-nightwatch [dev]

Path @vue/cli-plugin-e2e-nightwatch > nightwatch > proxy-agent >
pac-proxy-agent > https-proxy-agent

More info https://nodesecurity.io/advisories/593

Low Regular Expression Denial of Service

Package debug

Patched in >= 2.6.9 < 3.0.0 || >= 3.1.0

Dependency of @vue/cli-plugin-e2e-nightwatch [dev]

Path @vue/cli-plugin-e2e-nightwatch > nightwatch >
mocha-nightwatch > debug

More info https://nodesecurity.io/advisories/534

found 6 vulnerabilities (1 low, 4 high, 1 critical) in 37738 scanned packages
6 vulnerabilities require manual review. See the full report for details.

C:\ae\adaept.com\aeicons-vue>

major upstream
Source
picture peterennis

Most helpful comment

@LinusBorg vue-cli is using nightwatch v0.9 and we have recently released v1.0 into the main npm channel. Anything we can do to help with the upgrade? Let us know if there are specific issues blocking it, thanks.

picture beatfactor on 8 Jan 2019
👍8

All 7 comments

all of those are dependencies of nightwatch, you should likely open reports there.

LinusBorg picture LinusBorg on 7 Jan 2019

@LinusBorg vue-cli is using nightwatch v0.9 and we have recently released v1.0 into the main npm channel. Anything we can do to help with the upgrade? Let us know if there are specific issues blocking it, thanks.

beatfactor picture beatfactor on 8 Jan 2019
👍8

@beatfactor hey, thanks for getting in touch. I'm not personally familiar with the status of the nightwatch plugin, but we are certainly interested in moving to 1.0 if that's available now. I honestly missed that. 😅

/cc @sodatea can you chime in!

LinusBorg picture LinusBorg on 8 Jan 2019
👍2

Yes we're definitely intereted in upgrading, but I haven't got the time to have a close look at the 1.0 changelog, so I'm not sure if it will be a breaking change for us…
If not, we'll certainly do it. Otherwise, we might have to delay it to v4 (which is pending webpack v5 release)

Sidenote: it seems these vulnerablilities are for server side projects only and should not affect local tests.

sodatea picture sodatea on 8 Jan 2019

Just initialized a new project with vue-cli v3.3.0 and NPM reports 22 vulnerabilities now. 11 Low, 1 Moderate, 8 High, 2 Critical.

I've included a dump from npm audit but the text has a lot of extra garbage in it.

npm-audit.txt

cedon picture cedon on 21 Jan 2019

Related: https://github.com/vuejs/vue-cli/pull/3388

darrenjennings picture darrenjennings on 29 Jan 2019

Landed in v4.0.0-alpha.0

sodatea picture sodatea on 1 May 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

PrimozRome picture PrimozRome  Â·  3Comments
brandon93s picture brandon93s  Â·  3Comments
b-zee picture b-zee  Â·  3Comments
BusyHe picture BusyHe  Â·  3Comments
NathanKleekamp picture NathanKleekamp  Â·  3Comments