Vue-cli: yargs-parser vulnerability (@vue/cli-service > webpack-dev-server > yargs > yargs-parser)

Created on 1 May 2020 · 9Comments · Source: vuejs/vue-cli

Version

4.3.1

Environment info

Environment Info:

  System:
    OS: macOS 10.15.4
    CPU: (8) x64 Intel(R) Core(TM) i7-7820HQ CPU @ 2.90GHz
  Binaries:
    Node: 10.16.2 - ~/.nvm/versions/node/v10.16.2/bin/node
    Yarn: 1.21.1 - ~/.nvm/versions/node/v10.16.2/bin/yarn
    npm: 6.9.0 - ~/.nvm/versions/node/v10.16.2/bin/npm

truncated (nginx errors with request uri to large)

Steps to reproduce

run yarn audit in any newly created or exiting vue-cli project

What is expected?

should not report any issues

What is actually happening?

reports:

yarn audit v1.21.1
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @vue/cli-service                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @vue/cli-service > webpack-dev-server > yargs > yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1500                        │
└───────────────┴──────────────────────────────────────────────────────────────┘

please upgrade webpack-dev-server as soon their issue got resolved https://github.com/webpack/webpack-dev-server/issues/2559.

Meanwhile a workaround with yarn resolution works by adding:

  "resolutions": {
    "@vue/cli-service/**/yargs-parser": "^13.1.2"
  },

Source

mashpie

👍6 😕1

Most helpful comment

Same problem.

dagostindiogo on 6 May 2020

👍6

All 9 comments

Anyone have a work-around for NPM instead of Yarn? Assuming the syntax may be different than what @mashpie posted above...

dosstx on 1 May 2020

@dosstx you might consider https://www.npmjs.com/package/npm-force-resolutions

still:

dev-server is run on local dev only (should be)
resolutions is just a temporary workaround to silence auditing alerts
fix should apply to webpack-dev-server

yet no issues on several "patched" projects...

mashpie on 1 May 2020

Same problem.

dagostindiogo on 6 May 2020

👍6

Should have been fixed with the release of webpack-dev-server 3.11.0

sodatea on 13 May 2020

👎2

I just wrote an article on this issue's fix. Check it out on medium https://medium.com/@dieguiviti/yargs-parser-vulnerability-fix-5ab421663d22

dieguiviti on 19 Jun 2020

👎2

I just wrote an article on this issue's fix. Check it out on medium https://medium.com/@dieguiviti/yargs-parser-vulnerability-fix-5ab421663d22

broken link, can't see the article on your profile either

lartheon on 29 Jul 2020

This is still not fixed with version 4.5.9

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @vue/cli-plugin-unit-jest [dev]                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @vue/cli-plugin-unit-jest > ts-jest > yargs-parser           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1500                            │
└───────────────┴──────────────────────────────────────────────────────────────┘