vuepress install reports 2 high severity vulnerabilities

Created on 13 Aug 2020 · 9Comments · Source: vuejs/vuepress

[ x] I confirm that this is an issue rather than a question.

Bug report

Running the command npm install vuepress results with found 2 high severity vulnerabilities error message

Steps to reproduce

Running the command npm install vuepress results with found 2 high severity vulnerabilities error message. Then the command npm audit results with:

                       === npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  High            Remote Code Execution

  Package         serialize-javascript

  Patched in      >=3.1.0

  Dependency of   vuepress

  Path            vuepress > @vuepress/core > copy-webpack-plugin >
                  serialize-javascript

  More info       https://npmjs.com/advisories/1548


  High            Remote Code Execution

  Package         serialize-javascript

  Patched in      >=3.1.0

  Dependency of   vuepress

  Path            vuepress > @vuepress/core > vue-server-renderer >
                  serialize-javascript

  More info       https://npmjs.com/advisories/1548

What is expected?

To release vuepress rebuilt with the package serialize-javascript version :3.1.0.

What is actually happening?

Other relevant information

Output of npx vuepress info in my VuePress project:

The output of npx vuepress info results with empty string is an empty string, with the header 'Environment Info:'

Source

adriatic

👍10

Most helpful comment

@wrslatz I should have paid more attention to the title bar of your comment! Sorry. I've cheekily @-ed a maintainer on the PR, let's see if that helps.

mohawk2 on 10 Nov 2020

❤1 👍1

All 9 comments

2509 solves one of the two findings, I think

wrslatz on 14 Aug 2020

Looks like the other will require a major version update of copy-webpack-plugin from v5 to v6

wrslatz on 14 Aug 2020

While vuepress will unlikely live in the context where these two vulnerabilities mean the difference between success and failure, I reported this as a relatively important issue. At this time I do feel too green to go and fix it myself 😁

adriatic on 14 Aug 2020

👍1

Looks like both of these can be resolved with an npm audit fix :tada: I think this issue can be closed now

A dependency bump was pushed to v5 for copy-webpack-plugin and the vue-server-renderer nested dependency has an updated version of serialize-javascript now.

wrslatz on 28 Aug 2020

Thank you for pursuing this so vigorously

adriatic on 28 Aug 2020

❤1

Thank you for pursuing this so vigorously

I just followed the updates to downstream dependencies ☺️

wrslatz on 28 Aug 2020

@wrslatz #2585 does the version-bump of copy-webpack-plugin from 5 to 6, and it's only a 2-line change. Please say if you don't want this, and I can close it.

mohawk2 on 9 Nov 2020

@wrslatz #2585 does the version-bump of copy-webpack-plugin from 5 to 6, and it's only a 2-line change. Please say if you don't want this, and I can close it.

I think the PR definitely still makes sense to have, but it's not required to solve the referenced vulnerability.

I'm not an active maintainer of this repo, if you're looking for a review. Sorry 😞

wrslatz on 9 Nov 2020

@wrslatz I should have paid more attention to the title bar of your comment! Sorry. I've cheekily @-ed a maintainer on the PR, let's see if that helps.

mohawk2 on 10 Nov 2020

❤1 👍1

Was this page helpful?

0 / 5 - 0 ratings