Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. ItΒ collects links to all the places you might be looking at while hunting down a tough bug.
And, if youβre still stuck at the end, weβre happy to hop on a call to see how we can help out.
Security issue with css-what in @vue/cli-service 4.5.13
See original GitHub issueVersion
4.5.13
Reproduction link
https://github.com/ahermant/vue-cli-service-issue
Environment info
Environment Info:
System:
OS: macOS 11.2.2
CPU: (16) x64 Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz
Binaries:
Node: 12.21.0 - ~/.nvm/versions/node/v12.21.0/bin/node
Yarn: 1.22.10 - /usr/local/bin/yarn
npm: 6.14.11 - ~/.nvm/versions/node/v12.21.0/bin/npm
Browsers:
Chrome: 91.0.4472.77
Edge: Not Found
Firefox: 89.0
Safari: 14.0.3
npmPackages:
@vue/babel-helper-vue-jsx-merge-props: 1.2.1
@vue/babel-helper-vue-transform-on: 1.0.2
@vue/babel-plugin-jsx: 1.0.6
@vue/babel-plugin-transform-vue-jsx: 1.2.1
@vue/babel-preset-app: 4.5.13
@vue/babel-preset-jsx: 1.2.4
@vue/babel-sugar-composition-api-inject-h: 1.2.1
@vue/babel-sugar-composition-api-render-instance: 1.2.4
@vue/babel-sugar-functional-vue: 1.2.2
@vue/babel-sugar-inject-h: 1.2.2
@vue/babel-sugar-v-model: 1.2.3
@vue/babel-sugar-v-on: 1.2.3
@vue/cli-overlay: 4.5.13
@vue/cli-plugin-babel: ~4.5.0 => 4.5.13
@vue/cli-plugin-eslint: ~4.5.0 => 4.5.13
@vue/cli-plugin-router: 4.5.13
@vue/cli-plugin-vuex: 4.5.13
@vue/cli-service: ~4.5.0 => 4.5.13
@vue/cli-shared-utils: 4.5.13
@vue/component-compiler-utils: 3.2.0
@vue/preload-webpack-plugin: 1.1.2
@vue/web-component-wrapper: 1.3.0
eslint-plugin-vue: ^6.2.2 => 6.2.2
vue: ^2.6.11 => 2.6.14
vue-eslint-parser: 7.6.0
vue-hot-reload-api: 2.3.4
vue-loader: 15.9.7 (16.2.0)
vue-style-loader: 4.1.3
vue-template-compiler: ^2.6.11 => 2.6.14
vue-template-es2015-compiler: 1.9.1
npmGlobalPackages:
@vue/cli: 4.5.13
Steps to reproduce
run yarn audit or npm audit on a project with @vue/cli-service 4.5.13
What is expected?
No security issue
What is actually happening?
4 security issues spotted on css-what
Issue Analytics
- State:
- Created 2 years ago
- Reactions:41
- Comments:12
Top Results From Across the Web
vue/cli-service@4.5.13 - Snyk Vulnerability Database
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities (in both your packages & their dependencies) and providesΒ ...
Read more >Vue Cli Regular Expression Denial of Service postcss
I have Github security checks turned on for many repositories and need to update packages quite often. The trick is to stay up...
Read more >How do you properly deal with Vue vulnerabilities when using ...
So I tried creating a Vue 2 project and it works fine, the only issue is that there are 20 vulnerabilities, where as...
Read more >Software-Licenses-Current.pdf - Diveplane
and issue tracking systems that are managed by, or on behalf of, the ... @vue/cli-service@4.5.13 ... repository: https://github.com/fb55/css-what.
Read more >@vue/cli-service-global - npm
Tip: Click on a version number to view a previous version's package page. Current Tags. Version. Downloads (Last 7 Days).
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
How is a high severity vulnerability in one of the most popular JS frameworks not fixed ten days after the issue is opened?
Iβm seeing the same for normalize-url on v4.5.13:
βββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β High β Regular Expression Denial of Service β βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β Package β normalize-url β βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β Patched in β >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1 β βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β Dependency of β @vue/cli-service [dev] β βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β Path β @vue/cli-service > @intervolga/optimize-cssnano-plugin > β β β cssnano > cssnano-preset-default > postcss-normalize-url > β β β normalize-url β βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β More info β https://npmjs.com/advisories/1755 β βββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ