Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

glob-parent vulnerability issue with with @vue/cli-service@4.5.13

See original GitHub issue
Screen Shot 2021-06-29 at 1 39 14 PM Screen Shot 2021-06-29 at 1 39 54 PM ### Version 4.5.13

Environment info

System:
    OS: macOS Mojave 10.14.6
    CPU: (12) x64 Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz
  Binaries:
    Node: 10.16.0 - /usr/local/bin/node
    Yarn: Not Found
    npm: 7.11.1 - /usr/local/bin/npm
  Browsers:
    Chrome: 91.0.4472.114
    Edge: Not Found
    Firefox: 88.0.1
    Safari: 13.1
npmPackages:
    @casl/vue: ^1.2.2 => 1.2.2 
    @vue/babel-helper-vue-jsx-merge-props:  1.2.1 
    @vue/babel-helper-vue-transform-on:  1.0.2 
    @vue/babel-plugin-jsx:  1.0.6 
    @vue/babel-plugin-transform-vue-jsx:  1.2.1 
    @vue/babel-preset-app:  4.5.13 
    @vue/babel-preset-jsx:  1.2.4 
    @vue/babel-sugar-composition-api-inject-h:  1.2.1 
    @vue/babel-sugar-composition-api-render-instance:  1.2.4 
    @vue/babel-sugar-functional-vue:  1.2.2 
    @vue/babel-sugar-inject-h:  1.2.2 
    @vue/babel-sugar-v-model:  1.2.3 
    @vue/babel-sugar-v-on:  1.2.3 
    @vue/cli-overlay:  4.5.13 
    @vue/cli-plugin-babel: ~4.5.13 => 4.5.13 
    @vue/cli-plugin-e2e-cypress: ~4.5.0 => 4.5.13 
    @vue/cli-plugin-eslint: ^3.1.1 => 3.1.1 
    @vue/cli-plugin-router:  4.5.13 
    @vue/cli-plugin-unit-jest: ^4.5.13 => 4.5.13 
    @vue/cli-plugin-vuex:  4.5.13 
    @vue/cli-service: ^4.5.13 => 4.5.13 
    @vue/cli-shared-utils:  4.5.13 (3.12.1)
    @vue/component-compiler-utils:  3.2.2 
    @vue/eslint-config-prettier: ^6.0.0 => 6.0.0 
    @vue/preload-webpack-plugin:  1.1.2 
    @vue/web-component-wrapper:  1.3.0 
    eslint-plugin-vue: ^6.2.2 => 6.2.2 (4.7.1)
    jest-serializer-vue:  2.0.2 
    vue: ^2.6.11 => 2.6.14 
    vue-chartjs: ^3.4.2 => 3.5.1 
    vue-cli-plugin-vuetify: ^2.0.5 => 2.4.1 
    vue-eslint-parser:  7.6.0 (2.0.3)
    vue-hot-reload-api:  2.3.4 
    vue-jest:  3.0.7 
    vue-json-excel: ^0.2.98 => 0.2.99 
    vue-loader:  15.9.7 (16.2.0)
    vue-router: ^3.1.6 => 3.5.2 
    vue-style-loader:  4.1.3 
    vue-template-compiler: ^2.6.11 => 2.6.14 
    vue-template-es2015-compiler:  1.9.1 
    vue-the-mask: ^0.11.1 => 0.11.1 
    vuetify: ~2.4.0 => 2.4.11 
    vuetify-loader: ^1.3.0 => 1.7.2 
    vuex: ^3.1.3 => 3.6.2 
  npmGlobalPackages:
    @vue/cli: 4.5.13

Steps to reproduce

npm audit

What is expected?

@vue/cli-service should depend on glob-parent version 5.1.2 or higher

What is actually happening?

npm audit is saying that \glob-parent <5.1.2 Severity: moderate Regular expression denial of service - https://npmjs.com/advisories/1751

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Reactions:18
  • Comments:6 (1 by maintainers)

github_iconTop GitHub Comments

1reaction
sodateacommented, Aug 13, 2021

https://overreacted.io/npm-audit-broken-by-design/

NPM audit is broken. This is not a real vulnerability in almost every use case of Vue CLI. So I’m closing this issue.

0reactions
dosstxcommented, Aug 13, 2021

@Tricky-Ricky I fixed it by simply updating vue cli to latest 4x version (I didn’t update to 5x).

If there are still some threats, you can also do an ‘npm force resolutions’ hot fix .

I agree with @sodatea about npm being broken, but it’s impossible to convince security teams that and we often can’t simply dimiss it. This is nothing against Vue-CLI, it’s just the sad state of affairs when using npm audit.

Read more comments on GitHub >

github_iconTop Results From Across the Web

glob-parent - Snyk Vulnerability Database
version published direct vulnerabilities 6.0.2 29 Sep, 2021 0. C. 0. H. 0. M. 0. L 6.0.1 19 Jul, 2021 0. C. 0. H. 0....
Read more >
how to solve this npm glob-parent problem - Stack Overflow
First possibility: Update from watchpack version 1 to watchpack version 2. watchpack version 2 does not depend on a vulnerable version of glob- ......
Read more >
How to Fix Vulnerability Issues in Node.JS & Gulp with NPM ...
In this video I show you how to use NPM Override and NPM Audit Fix to resolve vulnerability issues in Node.JS, Gulp, or...
Read more >
Regular Expression Denial Of Service (ReDoS) - SourceClear
glob-parent is vulnerable to Regular Expression Denial Of Service (ReDoS). The vulnerability exists as the `enclosure` regex used to check for strings ...
Read more >
CVE-2020-28469 Detail - NVD
This affects the package glob-parent before 5.1.2. ... https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059092, Exploit Third Party Advisory.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Error on npm run serve for default 3.x template

Next page

Security issue with css-what in @vue/cli-service 4.5.13