Webpack-dev-server: WS-2018-0588 (High severity) detected in querystringify
- Operating System: Windows 10
- Node Version: 10.15.3
- NPM Version: 6.4.1
- webpack Version: 4.33.0
- webpack-dev-server Version: 3.7.1
- [ ] This is a bug
- [X] This is a modification request
Code
No code, see https://github.com/unshiftio/querystringify/pull/19
Expected Behavior
To be secure
Actual Behavior
A vulnerability was found in querystringify before 2.0.0.
For Bugs; How can we reproduce the behavior?
A vulnerability was found in querystringify before 2.0.0. It's possible to override built-in properties of the resulting query string object if a malicious string is inserted in the query string.
For Features; What is the motivation and/or use-case for the feature?
Security. See more here: https://github.com/unshiftio/querystringify/pull/19
eKristensen
All 12 comments
npm ls querystringify
โโโฌ [email protected]
โโโฌ [email protected]
โโโฌ [email protected]
โโโ [email protected]
querystringify in webpack-dev-server is the latest version.
https://github.com/unshiftio/querystringify/releases
I think that is a bug on the github side.
hiroppy
on 8 Jun 2019
@hiroppy it may be a issue on my side. I'll get back to you later. The GitHub security check claims something is wrong, but I'm away from my computer right now. Thank you for your time, have a great day :)
eKristensen
on 8 Jun 2019
Same with my gatsby project repos ,I did a yarn audit... No vulnerabilities found
crstnmac
on 8 Jun 2019
Please open issue in url-parse package, we can't do nothing here on our side.
Also all security problems better report in DM (gitter, slack) or email. Also we use [email protected]
alexander-akait
on 8 Jun 2019
Thank you for your patience. The issue was on my side. I cannot reproduce any problems locally or find the old version that Github claims I have.
I'm sorry i wasted your time and wrongly accused you of using outdated packages. Thank you for your helpful responses. Have a wonderful day! :)
eKristensen
on 8 Jun 2019
no problem, thank you for the reporting.
hiroppy
on 8 Jun 2019
Thank you for your patience. The issue was on my side. I cannot reproduce any problems locally or find the old version that Github claims I have.
I'm sorry i wasted your time and wrongly accused you of using outdated packages. Thank you for your helpful responses. Have a wonderful day! :)
Have you solved this?
C451
on 9 Jun 2019
@C451 No. I'm not sure where to report errors with the GitHub "Security Alerts". I think Microsoft will resolve that issue eventually. It fails to create an automated "security fix" pull request
Dependabot cannot update to the required version
.
eKristensen
on 9 Jun 2019
It seems strange that only a few people experience this bug, considering how many people use webpack. I will try to contact the support.
C451
on 9 Jun 2019
Yesterday, I saw this security alert at this repo, but now I cannot see this alert. So, this problem was fixed.
hiroppy
on 9 Jun 2019
Hmmm, I still see the alert. Anyways, it is better to send them a letter.
Edit: the alert just magically disappeared. Probably the support team has the ability to read our minds.
C451
on 9 Jun 2019
Its partially gone for me now. Its not in my repo, nor in the Security Alerts overview, but there is a message about it that i can't read under notifications. Seams like Microsoft is fixing it.
eKristensen
on 9 Jun 2019
Related issues
adiachenko
ยท
3Comments
StephanBijzitter
ยท
3Comments
wojtekmaj
ยท
3Comments
Jack-Works
ยท
3Comments
subblue
ยท
3Comments
Most helpful comment
querystringify in webpack-dev-server is the latest version.
https://github.com/unshiftio/querystringify/releases
I think that is a bug on the github side.