Webpacker: webpack-dev-server vulnerability

Created on 7 Jan 2019  路  13Comments  路  Source: rails/webpacker

Hello,

As the first thing I want to say thank you for doing such a great job with webpacker!

2 days ago we've got the following vulnerability notification https://nvd.nist.gov/vuln/detail/CVE-2018-14732. To actually fix it we need to update the version of webpack-dev-server to at least 3.1.11. I've tried to update it to that version, but it's currently not possible due to the following error when starting the dev server:

module.js:549
    throw err;
    ^

Error: Cannot find module 'webpack'
    at Function.Module._resolveFilename (module.js:547:15)
    at Function.Module._load (module.js:474:25)
    at Module.require (module.js:596:17)
    at require (internal/module.js:11:18)
    at Object.<anonymous> (/node_modules/webpack-dev-server/bin/webpack-dev-server.js:26:17)
    at Module._compile (module.js:652:30)
    at Object.Module._extensions..js (module.js:663:10)
    at Module.load (module.js:565:32)
    at tryModuleLoad (module.js:505:12)
    at Function.Module._load (module.js:497:3)

We use the dev server only locally, so it's not a big problem for us. Never the less it would be great to fix the issue.

picture szysza
👍3

Most helpful comment

@stefanvermaas is there an ETA for when 4.0 would be release? thank you!

picture ale7714 on 7 Jan 2019
👍13

All 13 comments

I think this can only be fixed by upgrading to the latest (4.0.x) version of Webpacker (which is still in beta), because the suggested fix (upgrade webpack-dev-server to ^3.1.11) is not possible because webpack-dev-server depends on webpack > 4.0.

Might be useful to ask the webpack team to also release a 2.x.x fix.

PS: The first part of the fix would be to add webpack-cli to your package.json.

stefanvermaas picture stefanvermaas on 7 Jan 2019

@stefanvermaas Thanks for the response. Yes, I've tried to use the release candidate version, but since it's a rc it's not stable. I suppose that it's highly unlikely that the webpack team will release another fix for the 2.x.x, because it might be possible that the problem isn't that easy to fix in the old version of webpack.

I thing that the most reasonable thing to do is to wait, but at the same time wanted to make sure that the issue is known.

szysza picture szysza on 7 Jan 2019

I agree. Getting Webpacker ready for version 4.0 is the only actual thing that would fix the problem.

I see that the Webpack team already answered the question; they won't make a patch for 2.x.x because 2.x.x is deprecated. https://github.com/webpack/webpack-dev-server/pull/1603#commitcomment-31236145

stefanvermaas picture stefanvermaas on 7 Jan 2019
👍1

@stefanvermaas is there an ETA for when 4.0 would be release? thank you!

ale7714 picture ale7714 on 7 Jan 2019
👍13

Any timeframe on when this will be patched? Vulnerability was published 09/21/2018, it seems unacceptable to leave a security hole around for this long?

Yanchek99 picture Yanchek99 on 20 Jan 2019

I agree, it needs to be patch, bit isn't the risk profile super low?

The vulnerability is in the webpack-dev-server isn't it... so it's only a risk in Dev environments, not Production?

turgs picture turgs on 20 Jan 2019
👍1

@ale7714 I'm not sure. Maybe @gauravtiwari can shine some light on this? He's working very hard on making 4.0 possible. There is already an third release candidate; https://www.npmjs.com/package/@rails/webpacker/v/4.0.0-rc.3

@Yanchek99: A patch is not possible, because webpack-dev-server won't bring out a patch for version 2.x.x on which @rails/webpacker 3.x.x depends on. Only way to fix this is to use the last release candidate.

stefanvermaas picture stefanvermaas on 21 Jan 2019

@stefanvermaas Understood, thanks for the reply. Wish Github would disregard this vulnerability, the warning there makes it seem more severe than it is.

Yanchek99 picture Yanchek99 on 22 Jan 2019
👍1

@Yanchek99 you can dismiss specific vulnerabilities in your project by going to that specific vulnerability and choosing a reason for the dismissal:
capture d ecran 2019-01-25 a 11 59 26

louim picture louim on 25 Jan 2019
👍5

I see that the Webpack team already answered the question; they won't make a patch for 2.x.x because 2.x.x is deprecated. webpack/webpack-dev-server#1603 (comment)

Note that the latest non-beta release of Rails, 5.2.2, will currently create a package.json with:

"devDependencies": {
  "webpack-dev-server": "2.11.2"
}

When asked to initialize a new app with rails new appname --webpack.

So Rails is installing a deprecated version? This seems odd. It also seems odd to me that it's creating a package.json with a hard-coded locked "2.11.2", rather than "~2.11.2" or "^2.11.2", so no upgrades with yarn upgrade are possible without a manual edit of package.json.

What I understand from this ticket is not only is the current release of Rails creating app skeletons with rails new that use a version of webpack-dev-server with a CVE -- but there is in fact no supported way to manually use any version of webpack-dev-server that doesn't have a CVE with rails either?

This seems to me like an urgent matter, no? Should Rails stop installing or recommending the use of webpack-dev-server at all until there is a way to use a version that does not have a CVE? I do not expect "omakase" to mean serving me a poisoned meal!

jrochkind picture jrochkind on 31 Jan 2019

Can this issue be closed ?

guillaumebriday picture guillaumebriday on 25 Aug 2020
👍1

@guillaumebriday according to https://github.com/nixsolutions/thank-you/issues/35 it can be closed. Thanks.

szysza picture szysza on 26 Aug 2020

馃憤

guillaumebriday picture guillaumebriday on 26 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

pioz picture pioz  路  3Comments
ytbryan picture ytbryan  路  3Comments
inopinatus picture inopinatus  路  3Comments
ilrock picture ilrock  路  3Comments
ijdickinson picture ijdickinson  路  3Comments