Webpack-dev-server: Missing Origin Validation during npm install
- Operating System: Windows 10
- Node Version: v11.1.0
- NPM Version: 6.4.1
- webpack Version: 3.12.0
- webpack-dev-server Version: 3.1.10
- [x] This is a bug
- [ ] This is a modification request
Code
N/A
Expected Behavior
npm install finishes without error
Actual Behavior
```npm install finishes with the following error ::
npm WARN deprecated [email protected]: Browserslist 2 could fail on reading Browserslist >3.0 config used in other tools.
npm WARN deprecated [email protected]: Browserslist 2 could fail on reading Browserslist >3.0 config used in other tools.
[email protected] install C:xampphtdocslaravuenode_modulesnode-sass
node scripts/install.js
Cached binary found at C:UsersUserAppDataRoamingnpm-cachenode-sass4.10.0win32-x64-67_binding.node
[email protected] postinstall C:xampphtdocslaravuenode_moduleswebpacknode_modulesuglifyjs-webpack-plugin
node lib/post_install.js
[email protected] postinstall C:xampphtdocslaravuenode_modulesnode-sass
node scripts/build.js
Binary found at C:xampphtdocslaravuenode_modulesnode-sassvendorwin32-x64-67binding.node
Testing binary
Binary is fine
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN [email protected] requires a peer of imagemin@^5.0.0 || ^6.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN [email protected] requires a peer of ajv@^6.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: [email protected] (node_modulesfsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for [email protected]: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
added 1189 packages from 698 contributors and audited 11710 packages in 196.717s
found 1 high severity vulnerability
run npm audit fix to fix them, or npm audit for details
### For Bugs; How can we reproduce the behavior?
On Windows environment, launch cmd and run the following commands ::
composer create-project --prefer-dist laravel/laravel laravel
And then run
npm install
```
For Features; What is the motivation and/or use-case for the feature?
tpw1314
All 47 comments
I remember the first time I installed laravel via composer + npm install, there was not a problem at all. However, I had to re-install a fresh laravel project so I ended up just 'Right click' and delete the project folder.
After few busy weeks I now decided to have fresh laravel project and then run npm install and boom.
tpw1314
on 11 Nov 2018
I also get this error. Even when I make a new project and then use npm install I get the following message:
audited 11772 packages in 15.252s
found 1 high severity vulnerability
runnpm audit fixto fix them, ornpm auditfor details
Whenever I use the npm audit command I get this message:
Manual Review
Some vulnerabilities require your attention to resolveVisit https://go.npm.me/audit-guide for additional guidanceHigh Missing Origin Validation
Package webpack-dev-server
Patched in >=3.1.6
Dependency of laravel-mix [dev]
Path laravel-mix > webpack-dev-server
More info https://nodesecurity.io/advisories/725
Anyone any ideas on how to fix this?
Baspa
on 11 Nov 2018
Please this create issue in laravel-mix. you use old webpack-dev-server version in laravel-mix
alexander-akait
on 12 Nov 2018
Any chance the security fix will get backported to [email protected]? We're still on [email protected] yet which relies on this version range. Thanks for your consideration.
````
=== npm audit security report ===
Run npm install [email protected] to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
βββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β High β Missing Origin Validation β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Package β webpack-dev-server β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Dependency of β react-scripts β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Path β react-scripts > webpack-dev-server β
βββββββββββββββββΌβοΏ½οΏ½οΏ½βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β More info β https://nodesecurity.io/advisories/725 β
βββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
````
tanx
on 12 Nov 2018
@tanx webpack-dev-server@2 is deprecated and not updated anymore due a lot of bugs and security problems, sorry
alexander-akait
on 12 Nov 2018
For all of you, this issue appears to be solved by this #1815
tpw1314
on 13 Nov 2018
Not in [email protected] unfortunately though.
tanx
on 13 Nov 2018
Please refer to this issue. Apparently it is not fixed yet.
tpw1314
on 19 Nov 2018
Seeing the same. This issue hasn't been fixed yet.
connecteev
on 21 Nov 2018
Same here.
JhumanJ
on 21 Nov 2018
Same here. Not using laravel-mix AFAIK
Download
on 23 Nov 2018
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Missing Origin Validation
Package webpack-dev-server
Patched in >=3.1.6
Dependency of laravel-mix [dev]
Path laravel-mix > webpack-dev-server
More info https://nodesecurity.io/advisories/725
found 1 high severity vulnerability in 15147 scanned packages
1 vulnerability requires manual review. See the full report for details.
Already, what we can do with this vulnerabilities? Do it works in a local server?
proliuk
on 26 Nov 2018
Still not resolved as of this evening. Fresh laravel install on Amazon AMI still shows report. Working locally but I haven't tried to deploy.
rymartin767
on 30 Nov 2018
npm install laravel-mix@beta fixes the problem
SharakPL
on 7 Dec 2018
@SharakPL options actually fixes the problem. Thanks a lot!
enbermudas
on 10 Dec 2018
@SharakPL thats work fine for me, tnks!
jeffegiovani
on 11 Dec 2018
npm install laravel-mix@betafixes the problem
i did this and worked, but i have some kind of issue with babel-core now, guess it's a separated issue
LaravDev
on 11 Dec 2018
Anyone manage to run npm install laravel-mix without hitting any error even after a month ?
tpw1314
on 16 Dec 2018
yes i am also getting the same issues.
deepeshmadkar
on 16 Dec 2018
I can confirm. I'm using create-react-app.
vldmrkl
on 31 Dec 2018
As am I, latest CRA is using [email protected] so I notified them in the existing issue that was opened https://github.com/facebook/create-react-app/issues/5777#issuecomment-450684848
ealexhaywood
on 31 Dec 2018
Issue still persist. Using fresh copy of create-react-app on Mac OS High sierra
amitozdeol
on 31 Dec 2018
Issue is occuring with vue/cli-service
dvvdev
on 1 Jan 2019
having the same issue with creat-react-app! can somebody clarify why this is closed?! The react issue links to here and is closed as well
tetrohed
on 1 Jan 2019
Everyone who is using create react app should post here https://github.com/facebook/create-react-app/issues/5777. Webpack has already said they are not back porting fixes. Tell create-react-app to update their webpack dev server version.
ealexhaywood
on 1 Jan 2019
The problem started around this midnight I suppose
And it seems like it is wrongly listed here https://www.npmjs.com/advisories/725/versions as it says version 3.1.6+ is fine but is listed as affected as well.
simPod
on 1 Jan 2019
I'm getting this directly when just installing webpack-dev-server. I create a new folder, run npm init then npm install webpack-dev-server --save and i get:
=== npm audit security report ===
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Manual Review β
β Some vulnerabilities require your attention to resolve β
β β
β Visit https://go.npm.me/audit-guide for additional guidance β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β High β Missing Origin Validation β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Package β webpack-dev-server β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Patched in β >=3.1.11 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Dependency of β webpack-dev-server β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Path β webpack-dev-server β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β More info β https://nodesecurity.io/advisories/725 β
βββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
found 1 high severity vulnerability in 3441 scanned packages
1 vulnerability requires manual review. See the full report for details.
when i run npm audit
What's interesting is that the link https://nodesecurity.io/advisories/725 informs me that this is regarding version 3.1.6 and earlier, but the latest i 3.1.14 right? is NPM maybe interpreting 3.1.1* as lower that 3.1.6?
millenjo
on 1 Jan 2019
is NPM maybe interpreting 3.1.1* as lower that 3.1.6?
just tried 3.1.9 βΒ the same(
palkan
on 2 Jan 2019
If you run 'npm install' on Node v8.12.0, the following error appears. (npm v6.4.1)
``` === npm audit security report ===
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Manual Review β
β Some vulnerabilities require your attention to resolve β
β β
β Visit https://go.npm.me/audit-guide for additional guidance β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β High β Missing Origin Validation β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Package β webpack-dev-server β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Patched in β >=3.1.11 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Dependency of β webpack-dev-server [dev] β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Path β webpack-dev-server β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β More info β https://nodesecurity.io/advisories/725 β
βββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
found 1 high severity vulnerability in 10268 scanned packages
1 vulnerability requires manual review. See the full report for details.
```
'npm install' on Node v6.14.4 does not output an error. (npm v3.10.10)
falsy
on 2 Jan 2019
@falsy. we are seeing the same thing. I've retried it with 3.1.11 through 3.1.14 and no dice.
fergyfresh
on 2 Jan 2019
Those versions are listed as affected
simPod
on 2 Jan 2019
This was due to a typo in the vulnerability database apparently: https://npm.community/t/advisory-725-inconsistently-marks-affected-versions/4333/3
evalineBai
on 2 Jan 2019
On the 1st January I contacted NPM. Should be just fine now
simPod
on 2 Jan 2019
@falsy. we are seeing the same thing. I've retried it with
3.1.11through3.1.14and no dice.
@fergyfresh Hi, fergyfresh.
First of all, I am sorry but I am not good at English. (I didn't understand the meaning of 'dice'.)
I am currently using v3.1.14. Most webpack-dev-server v3.1.x output an error on node v8.12.0. However, we have used the NVM to change to Node v6.14.4 and have verified that it does not output subsequent installed result errors.
I don't think this is the solution.
If you need more information from me, let me know.
Thank you.
falsy
on 2 Jan 2019
@falsy it just means it did not work. Still have the high vulnerability security warning.
fergyfresh
on 2 Jan 2019
@fergyfresh I tested it on my PC at home and found it installed on node v8.12.0 without errors.
Sorry, I think the cause of the problem is something other than the node version.
falsy
on 2 Jan 2019
@falsy Have you read my posts? I think it explains it all.
simPod
on 2 Jan 2019
@simPod I can confirm that it's been fixed. npm audit is clean now.
SharakPL
on 2 Jan 2019
@simPod Oh, now the error is not output. Thank you.
falsy
on 3 Jan 2019
I'm also getting the same issues. Althought I was update [email protected]. But I can't run npm run dev. TypeError: Cannot destructure propertycompileof 'undefined' or 'null'.
quang5566
on 3 Jan 2019
I'm also still seeing the issue. If anyone found a solution please help.
bandisudhir
on 4 Jan 2019
IΒ΄m also getting this isusue on a mac. I am new to react.js, so is there a way to solve it or to bypass it?
jduser36
on 4 Jan 2019
Is your issue Missing Origin Validation? Do have installed only v3.1.11+?
simPod
on 4 Jan 2019
Yes it is, and i have the version 3.5.0 installed.
jduser36
on 4 Jan 2019
Read the link first then https://nodesecurity.io/advisories/725 to understand that you are using affected version and then upgrade it.
simPod
on 5 Jan 2019
I'm also still seeing the issue. If anyone found a solution please help.
After updating the [email protected]. The problem is resolved though it is still showing 1 high vulnerability I was able to install required packages. If your problem is not resolved delete node_modules folder and install again. Hoping your problem will be resolved.
bandisudhir
on 7 Jan 2019
Yes it is, and i have the version 3.5.0 installed.
Please check the version properly the highest version of webpack-dev-server available is 3.1.14 when I'm writing this comment.
bandisudhir
on 7 Jan 2019
Related issues
Ky6uk
Β·
3Comments
wojtekmaj
Β·
3Comments
adiachenko
Β·
3Comments
gimmi
Β·
3Comments
mrdulin
Β·
3Comments
Most helpful comment
I'm getting this directly when just installing webpack-dev-server. I create a new folder, run
npm initthennpm install webpack-dev-server --saveand i get:when i run
npm auditWhat's interesting is that the link
https://nodesecurity.io/advisories/725informs me that this is regarding version 3.1.6 and earlier, but the latest i 3.1.14 right? is NPM maybe interpreting3.1.1*as lower that3.1.6?