Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

node-forge and postcss Vulnerabilities with Vue 2

See original GitHub issue

Laravel Mix Version: 6.0.39
Node Version (node -v): 16.6.1
NPM Version (npm -v): 8.3.0
OS: Windows 11

Description:

I use VueJS 2 for my frontend and I am using laravel-mix to compile the assets. Recently, I came across a vulnerability reported by NPM regarding node-forge which is a dependency installed due to laravel-mix and one for postcss which is caused due to vue-loader < 17.0.0 . I tried upgrading to vue-loader 17.0.0 but that broke my webpack compilation. I request your help in resolving these vulnerabilities without breaking the code.

package.json

"devDependencies": {
    "axios": "^0.24.0",
    "css-loader": "^6.5.1",
    "laravel-mix": "^6.0.39",
    "lodash": "^4.17.21",
    "sass": "^1.45.1",
    "sass-loader": "^12.4.0",
    "vue": "^2.6.14",
    "vue-loader": "^15.9.8",
    "vue-template-compiler": "^2.6.14"
},

vulnerabilities reported in npm audit:

# npm audit report

node-forge  <1.0.0
Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
fix available via `npm audit fix --force`
Will install laravel-mix@1.1.1, which is a breaking change
node_modules/node-forge
  selfsigned  >=1.1.1
  Depends on vulnerable versions of node-forge
  node_modules/selfsigned
    webpack-dev-server  >=2.5.0
    Depends on vulnerable versions of selfsigned
    node_modules/webpack-dev-server
      laravel-mix  >=1.2.0
      Depends on vulnerable versions of webpack-dev-server
      node_modules/laravel-mix

postcss  <8.2.13
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
fix available via `npm audit fix --force`
Will install vue-loader@17.0.0, which is a breaking change
node_modules/@vue/component-compiler-utils/node_modules/postcss
  @vue/component-compiler-utils  *
  Depends on vulnerable versions of postcss
  node_modules/@vue/component-compiler-utils
    vue-loader  15.0.0-beta.1 - 15.9.8
    Depends on vulnerable versions of @vue/component-compiler-utils
    node_modules/vue-loader

Error if I try to use vue-loader v17.0.0:

[webpack-cli] Error: Cannot find module 'vue/compiler-sfc'

Issue Analytics

State:
Created 2 years ago
Reactions:8
Comments:8

Top GitHub Comments

1reaction

arborrowcommented, Jan 13, 2022

For postcss, I added a comment to the impacted resolve-url-loader (4.0.0) in the hopes that they might release v5 that would upgrade postcss to a later version (currently pinned to 7.0.39).

To prevent the vulnerable packages (postcss < 8.2.13 and node-forge < 1,0) from being on my production server, I have used yarn install --production since the impacted packages are devDependencies.

0reactions

HDVinniecommented, Jan 18, 2022

  "devDependencies": {
-    "ajv": "^8.8.2",
+    "ajv": "^8.9.0",
    "axios": "^0.21.4",
    "bootstrap-sass": "^3.4.1",
    "cross-env": "^7.0.3",
    "jquery": "^3.6.0",
    "laravel-echo": "^1.11.3",
-    "laravel-mix": "^6.0.39",
+    "laravel-mix": "^6.0.41",
    "lodash": "^4.17.21",
    "postcss": "^8.4.5",
-    "resolve-url-loader": "4.0.0",
-    "sass": "^1.47.0",
+    "resolve-url-loader": "^5.0.0",
+    "sass": "^1.48.0",
    "sass-loader": "^12.4.0",
    "socket.io": "^2.4.0",
    "socket.io-client": "^2.3.1",
-    "sweetalert2": "^11.3.4",
+    "sweetalert2": "^11.3.6",
    "vue": "^2.6.14",
-    "vue-loader": "^15.9.8",
+    "vue-loader": "^17.0.0",
    "vue-template-compiler": "^2.6.14"
  },
  "dependencies": {
-    "alpinejs": "^3.7.1",
+    "alpinejs": "^3.8.1",
    "dayjs": "^1.10.7",
    "keen-slider": "^5.5.1",
    "node-vibrant": "^3.1.6",

Im still getting

[webpack-cli] Error: Cannot find module 'vue/compiler-sfc'

When running npx mix -p

Top Results From Across the Web

lots of vulnerability using NPM - Laracasts

i just installed Vue using vue cli , problem is i got so many vulnerabilities for example iused this command npm install --save...

vue/cli-service@3.12.1 vulnerabilities - Snyk

Learn more about @vue/cli-service@3.12.1 vulnerabilities. @vue/cli-service@3.12.1 has 16 known vulnerabilities found in 64 vulnerable paths.

how to fix vue-cli-service vulnerability? - Stack Overflow

I was setting up a new Vue project and got the same issue. I was able to find a post on Github Vue/Vue-cli...

Fixing security vulnerabilities in npm dependencies in less ...

🔭 npm audit 2.1) To fix any dependency, you need to first know which npm package depends on that. This will tell you...

Security vulnerabilities with postcsss package prior to version ...

GitHub reported a security vulnerability it recommended simply adding a dependency of “postcss”: “>=8.2.10”, This does not resolve the ...

Troubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.

Start Free

Top Related Reddit Thread

No results found

Top Related Tweet

No results found

Top Related Dev.to Post

No results found

node-forge and postcss Vulnerabilities with Vue 2

Description:

Issue Analytics

Top GitHub Comments

Top Results From Across the Web

Top Related Medium Post

Top Related StackOverflow Question

Troubleshoot Live Code

Top Related Reddit Thread

Top Related Hackernoon Post

Top Related Tweet

Top Related Dev.to Post

Top Related Hashnode Post

GitHub Actions Docker permission denied error running mix

Compilation error: ERROR in child compilations [laravel]