[FEATURE_REQUEST] CVE that should be fixed

[lcotonea]

Hi,

After a security scan, two CVEs have been found on node modules:

• CVE-2020-28469: This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator
• CVE-2021-33502: The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

These modules should be upgraded.

[Lissy93]

Hey, unfortunately these packages are used by other dev packages (mostly Vue CLI), which are already at the latest version. You need to raise the issue / submit a PR to them instead.

Here's the full dependency path to help you:

• normalize-url is used by @vue/cli-service > cssnano > cssnano-preset-default > postcss-normalize-url > normalize-url which of course doesn't effect the production application
• glob-parent is also used by @vue/cli-service > copy-webpack-plugin > glob-parent
• css-what is used by @vue/cli-service > cssnano > cssnano-preset-default > postcss-svgo > svgo > css-select > css-what

You'll find the same results in most Vue projects at the moment, there are actually 6 critical vulnerabilities in Vue CLI. In Dashy specifically isn't actually effected by any of these vulnerabilities, as it's not using the effected packages in production, so is nothing to worry about.

I'm using Synk for vulnerability checking, you can find the current report here: https://snyk.io/test/github/Lissy93/dashy

[Lissy93]

Btw it looks like these issues are already raised, see below:

• Vue CLI 6118 - Re CVE-2020-7774
• Vue CLI 5489 - Re http-proxy
• Vue CLI 6523 - Re css-what
• Vue CLI 5285 - Re minimist
• http-server 1459 - Re CVE-400
• normalize-url 135 - Re CVE-2021-33502
• glob-parent 48 - Re regex dos