Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Dependency Bot warning about vulnerable dependencies: `ssri` and `is-svg`

See original GitHub issue

Version

4.5.9

Reproduction link

https://github.com/upstage-org/mobilise

Environment info

Environment Info:

  System:
    OS: macOS 11.2.1
    CPU: (8) x64 Intel(R) Core(TM) i5-1030NG7 CPU @ 1.10GHz
  Binaries:
    Node: 15.6.0 - /usr/local/bin/node
    Yarn: 1.22.10 - /usr/local/bin/yarn
    npm: 7.4.0 - /usr/local/bin/npm
  Browsers:
    Chrome: 89.0.4389.90
    Edge: Not Found
    Firefox: 86.0.1
    Safari: 14.0.3
  npmPackages:
    @vue/babel-helper-vue-jsx-merge-props:  1.2.1 
    @vue/babel-helper-vue-transform-on:  1.0.0-rc.2 
    @vue/babel-plugin-jsx:  1.0.0-rc.5 
    @vue/babel-plugin-transform-vue-jsx:  1.2.1 
    @vue/babel-preset-app:  4.5.9 
    @vue/babel-preset-jsx:  1.2.4 
    @vue/babel-sugar-composition-api-inject-h:  1.2.1 
    @vue/babel-sugar-composition-api-render-instance:  1.2.4 
    @vue/babel-sugar-functional-vue:  1.2.2 
    @vue/babel-sugar-inject-h:  1.2.2 
    @vue/babel-sugar-v-model:  1.2.3 
    @vue/babel-sugar-v-on:  1.2.3 
    @vue/cli-overlay:  4.5.9 
    @vue/cli-plugin-babel: ~4.5.0 => 4.5.9 
    @vue/cli-plugin-eslint: ~4.5.0 => 4.5.9 
    @vue/cli-plugin-pwa: ~4.5.0 => 4.5.10 
    @vue/cli-plugin-router: ~4.5.0 => 4.5.9 
    @vue/cli-plugin-vuex: ~4.5.0 => 4.5.9 
    @vue/cli-service: ~4.5.0 => 4.5.9 
    @vue/cli-shared-utils:  4.5.9 (4.5.10)
    @vue/compiler-core:  3.0.4 (3.0.7)
    @vue/compiler-dom:  3.0.4 (3.0.7)
    @vue/compiler-sfc: ^3.0.0 => 3.0.4 
    @vue/compiler-ssr:  3.0.4 
    @vue/component-compiler-utils:  3.2.0 
    @vue/preload-webpack-plugin:  1.1.2 
    @vue/reactivity:  3.0.7 
    @vue/runtime-core:  3.0.7 
    @vue/runtime-dom:  3.0.7 
    @vue/shared:  3.0.7 (3.0.4)
    @vue/web-component-wrapper:  1.2.0 
    eslint-plugin-vue: ^7.7.0 => 7.7.0 
    vue: ^3.0.7 => 3.0.7 
    vue-eslint-parser:  7.6.0 
    vue-hot-reload-api:  2.3.4 
    vue-loader:  15.9.6 (16.1.2)
    vue-router: ^4.0.0-0 => 4.0.1 
    vue-style-loader:  4.1.2 
    vue-template-es2015-compiler:  1.9.1 
    vue3-draggable-resizable: ^1.6.0 => 1.6.0 
    vuex: ^4.0.0-0 => 4.0.0-rc.2 
    vuex-persistedstate: ^4.0.0-beta.1 => 4.0.0-beta.1 
  npmGlobalPackages:
    @vue/cli: Not Found

Steps to reproduce

There is no step at all, everything was fine until Github dependency bot discover these vulnerable a few days ago, see attachment below: Screenshot 2021-03-24 at 21 19 15

What is expected?

No warning from Github’s dependency bot

What is actually happening?

Dependency bot is warning about vulnerable inside these indirect dependency: ssri and is-svg

ssri and is-svg is not our direct dependency, after inspecting the yarn.lock we discover that it was peer dependency of @vue/cli-service

Issue Analytics

  • State:open
  • Created 2 years ago
  • Reactions:10
  • Comments:5 (2 by maintainers)

github_iconTop GitHub Comments

6reactions
bobvandevijvercommented, Apr 14, 2021

@sodatea The @vue/cli-service package directly depends on version 7 of ssri. For version 5 (which is currently in beta) it was bumped to version 8, per https://github.com/vuejs/vue-cli/commit/473eab2d786aa54b7ab816003df6fbfee79852e9.

It looks like the update did not have that much impact, so maybe it can be backported to version 4 of the cli-service?

3reactions
sodateacommented, Apr 10, 2021

As said earlier, they are upstream issues, there’s nothing we can do here. Besides, they do not expose the users of Vue CLI to any real threats, it’s safe to ignore them.

They’re considered vulnerabilities because if you use these package versions in your Node.js web server, and process user inputs with them, your server might get compromised.

But that’s not the use case of Vue CLI, which is a developer tool.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Fixing security vulnerabilities in npm dependencies in less ...
2.1) To fix any dependency, you need to first know which npm package depends on that. npm audit. This will tell you the...
Read more >
Dependabot alerts for a given vulnerability - GitHub Checkout
Show Notes From software composition reports, we know that most applications rely on dozens or even hundreds of open source dependencies.
Read more >
Demystifying the Vulnerability Propagation and Its Evolution ...
of dependencies as trees (i.e., dependency trees), and investigates the security threats from vulnerabilities in dependency trees at a.
Read more >
github vulnerable dependencies per branch - Stack Overflow
I had this same issue. The problem with GitHub's Security Alert feature is that it will always scans the default branch of a...
Read more >
Dependency Scanning - GitLab Docs
ultimate. The Dependency Scanning feature can automatically find security vulnerabilities in your software dependencies while you're developing and testing your ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

@vue/cli-plugin-unit-jest/presets/typescript-and-babel not found

Next page

Vue cli is not installing