Webpack-dev-server: npm audit security warning

Created on 31 Dec 2018 · 24Comments · Source: webpack/webpack-dev-server

Operating System: All
Node Version: Any
NPM Version: Any
webpack Version:
webpack-dev-server Version: <=3.1.14
[x] This is a bug
[ ] This is a modification request

https://www.npmjs.com/advisories/725

                       === npm audit security report ===                        

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Missing Origin Validation                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ webpack-dev-server                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.11                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ webpack-dev-server [dev]                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ webpack-dev-server                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/725                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

Source

rosko

👍46

Most helpful comment

there seems to be a typo in the vulnerability database: https://npm.community/t/npm-audit-sweems-to-get-semver-wrong/4352/4

Diaan on 2 Jan 2019

👍21 😄5 ❤3

All 24 comments

I have the same issue. I have tried: npm audit fix, manual update of webpack-dev-server to version 3.1.14, removal of node_modules and package-lock.json. Nothing of this helps.

With webpack-dev-server version 3.1.10 initially installed npm audit fix says

+ [email protected]
updated 1 package in 3.517s
fixed 1 of 1 vulnerability...

But then npm audit still reports about 1 high severity vulnerability:

~~~
=== npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Missing Origin Validation │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ webpack-dev-server │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=3.1.11 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ webpack-dev-server [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ webpack-dev-server │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/725 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 9001 scanned packages
1 vulnerability requires manual review. See the full report for details.
~~~

maddev0 on 31 Dec 2018

👍20

It's probably caused by #1604

SharakPL on 31 Dec 2018

Still getting this issue despite the fact that I am on v3.1.14. Reinstalling does nothing

untitled-1

Xamanthas on 1 Jan 2019

👍4

The npmjs advisory is currently inconsistent and there is no 3.1.x patch that npm audit will allow.

https://npm.community/t/advisory-725-inconsistently-marks-affected-versions/4333

pauldraper on 1 Jan 2019

👍4

Not working with [email protected]

manishaggarwalm on 2 Jan 2019

@antimodern Don't worry, you're not being hacked. As you can see, it's trying to access a local address - most likely your own computer. The reason it fails to do so is because you've disconnected from the network, and your computer lost its IP address.

skreborn on 2 Jan 2019

👍1

I'm getting the same issue, updating to 3.1.14 doesnt solve the issue, npm audit still returns the vulnerability after updating

charlesfaustin on 2 Jan 2019

👍1

there seems to be a typo in the vulnerability database: https://npm.community/t/npm-audit-sweems-to-get-semver-wrong/4352/4

Diaan on 2 Jan 2019

👍21 😄5 ❤3

there seems to be a typo in the vulnerability database: https://npm.community/t/npm-audit-sweems-to-get-semver-wrong/4352/4

You saved my rest of the day

manishaggarwalm on 2 Jan 2019

there seems to be a typo in the vulnerability database: https://npm.community/t/npm-audit-sweems-to-get-semver-wrong/4352/4

how can we get this typo fixed? some builds require npm audit returning a clean bill of health

charlesfaustin on 2 Jan 2019

how can we get this typo fixed? some builds require npm audit returning a clean bill of health

Not sure, but the link in my previous post is a bug-report at NPM, so maybe voting on it will help it getting resolved faster.

Diaan on 2 Jan 2019

👍2

how can we get this typo fixed? some builds require npm audit returning a clean bill of health

Not sure, but the link in my previous post is a bug-report at NPM, so maybe voting on it will help it getting resolved faster.

done, thanks

charlesfaustin on 2 Jan 2019

Either wepack and create a new version with 3.2.0 like that would help?

On Wed, 2 Jan 2019 at 8:53 PM, Charles Freduah notifications@github.com
wrote:

how can we get this typo fixed? some builds require npm audit returning a
clean bill of health

Not sure, but the link in my previous post is a bug-report at NPM, so
maybe voting on it will help it getting resolved faster.

done, thanks

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/webpack/webpack-dev-server/issues/1615#issuecomment-450891741,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ApssRpxYQLaW0cLasw6nAvOm62wKYmDqks5u_M8NgaJpZM4Zlnt5
.

>

Thanks & Regards,Manish AggarwalMb: +919802551120

Skype: manish.aggarwalm

manishaggarwalm on 2 Jan 2019

Either wepack and create a new version with 3.2.0 like that would help?

I would just wait for the NPM audit team to fix this. This is a widely used dependency so I'm sure they'll have it fixed in a few hours.

SyedFarhan on 2 Jan 2019

Either wepack and create a new version with 3.2.0 like that would help?

probably not, unless they are releasing version 3.110.1 ;)

Diaan on 2 Jan 2019

😄2

Okay thanks let them do before its late

On Wed, 2 Jan 2019 at 9:00 PM, Syed Farhan notifications@github.com wrote:

Either wepack and create a new version with 3.2.0 like that would help?

I would just wait for the NPM audit team to fix this. This is widely used
dependency so I'm sure they'll have it fixed in a few hours.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/webpack/webpack-dev-server/issues/1615#issuecomment-450893487,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ApssRl7Zn_QJkj6H6cBJptPV75A7reemks5u_NCAgaJpZM4Zlnt5
.

>

Thanks & Regards,Manish AggarwalMb: +919802551120

Skype: manish.aggarwalm

manishaggarwalm on 2 Jan 2019

I think it is fixed, the audit passes for me.

Diaan on 2 Jan 2019

👍10

Cool, thank you all!

rosko on 2 Jan 2019

I'm still getting the error. Can someone please help me how to resolve this issue? Thanks.

webpackerror

tshravan86 on 7 Jan 2019

👍2

Hi @tshravan86. You must update the version of "webpack-dev-server" to 3.1.14 in the following files: package-lock.json and package.json. in all occurrences. Finally, run "npm update"

it works for me

nelson1212 on 7 Jan 2019

@nelson1212 note that npm update will update _all_ your package to their latest versions, which might not be what you want

smlombardi on 7 Jan 2019

If you want to do a more targeted update (and you tend to save exact version numbers in your package.json), here is what I did:

Update webpack-dev-server version in package.json
Delete package-lock.json
Delete the node_modules directory
Run npm i to re-fetch everything and write a new package-lock.json

Alternatively, if you use caret notation for your dependencies and want to be certain that _only_ webpack-dev-server is updated, follow what @nelson1212 suggested with the following change:

Update package.json and package-lock.json as @nelson1212 described
Blow away node_modules
Run npm i

chimericdream on 7 Jan 2019

👍1

@nelson1212 Thanks for your help, it worked. @chimericdream thanks for your information. Need to change the version number at package-lock.json as well. Thanks once again.

tshravan86 on 8 Jan 2019

🎉1

@nelson1212 Thanks for your help, it worked. @chimericdream thanks for your information. Need to change the version number at package-lock.json as well. Thanks once again.

My pleasure

nelson1212 on 8 Jan 2019

Was this page helpful?

0 / 5 - 0 ratings