You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After a security scan, two CVEs have been found on node modules:
CVE-2020-28469: This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator
CVE-2021-33502: The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
These modules should be upgraded.
The text was updated successfully, but these errors were encountered:
Hey, unfortunately these packages are used by other dev packages (mostly Vue CLI), which are already at the latest version. You need to raise the issue / submit a PR to them instead.
Here's the full dependency path to help you:
normalize-url is used by @vue/cli-service > cssnano > cssnano-preset-default > postcss-normalize-url > normalize-url which of course doesn't effect the production application
glob-parent is also used by @vue/cli-service > copy-webpack-plugin > glob-parent
css-what is used by @vue/cli-service > cssnano > cssnano-preset-default > postcss-svgo > svgo > css-select > css-what
You'll find the same results in most Vue projects at the moment, there are actually 6 critical vulnerabilities in Vue CLI. In Dashy specifically isn't actually effected by any of these vulnerabilities, as it's not using the effected packages in production, so is nothing to worry about.
Hi,
After a security scan, two CVEs have been found on node modules:
These modules should be upgraded.
The text was updated successfully, but these errors were encountered: