Dependancy in @nuxt/utils : ua-parser-js removed from npm due to hack

[willwright]

Versions

• nuxt: 2.15.8
• node: v12.22.6

Reproduction

Additional Details

Recently the owner of ua-parser-js lost control of their npm account and certain versions of the package were comprimised. In order to prevent further spread of the infected packages they were pulled from npm repository.

This package @nuxt/utils has one of the impacted versions marked as a dependancy and as such the package manager won't fully install nuxt.

SEE: faisalman/ua-parser-js#536

Steps to reproduce

• Create package.json
• Run yarn
• Notice:

[1/4] Resolving packages...
[2/4] Fetching packages...
error An unexpected error occurred: "https://registry.yarnpkg.com/ua-parser-js/-/ua-parser-js-0.7.29.tgz: Request failed \"404 Not Found\"".
info If you think this is a bug, please open a bug report with the information provided in "/var/src/yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.

What is Expected?

What is actually happening?

[willwright]

My temporary fix was to use a resolutions block in the package.json to force a higer version of ua-parser-js.
Example:

"resolutions": {
    "ua-parser-js": "^1.0.1"
  }

[icepaq]

@willwright Check out this link here faisalman/ua-parser-js#536

They recommend forcing version 0.7.28 but I think 1.0.1 is fine as well.

Hope this helps!

[fabis94]

This package probably needs to be removed altogether, no? Will switching versions really help if the attacker has the control over the package?

[adam-knights]

The repo is apparently back under control, the compromised versions are 0.7.29, 0.8.0, 1.0.0

Safe versions have now been released: 0.7.30, 0.8.1, 1.0.1

As a very quick fix nuxt utils should be bumped to 0.7.30 and released.

[AlecWeekes]

The repo is apparently back under control, the compromised versions are 0.7.29, 0.8.0, 1.0.0

Could I ask where you've seen this? I've not found anything with a quick google search. Need to handle this vulnerability this morning so need to be sure.

[danielroe]

Check faisalman/ua-parser-js#536 for full details.

[pi0]

As ua-parser-js@0.7.30 is released and nuxt@2.15.8 uses ^0.7.28 range, you can fix it by either:

• Removing lock file (yarn.lock / package-lock.json)
• Using yarn upgrade nuxt or npm up nuxt

Both methods should bump ua-parser-js to latest safe 0.7.x release.

[adam-knights]

Thankyou for the workarounds, but there could be people out there sat with 0.7.29 and not know of the vulnerability.

Users have tools that monitor for releases, automatically make PRs etc, by nuxt making a new release with ^0.7.30, it may pickup and prevent issues for some of those users.

[pi0]

Automated audit tools should look for entire sub-dependencies but sure makes sense to alert people upgrading by releasing a patch for nuxt 2.x

[willwright]

@willwright Check out this link here faisalman/ua-parser-js#536

They recommend forcing version 0.7.28 but I think 1.0.1 is fine as well.

Hope this helps!

@icepaq
Thanks for the tip, reading through the early post on the thread I wasn't quite sure what the author was recommending as a resolution.

It sounded like they were just going to issue a new major version to help with package mangers to resolve to the "correct" version.

[stale]

Thanks for your contribution to Nuxt!
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
If you would like this issue to remain open:

1. Verify that you can still reproduce the issue in the latest version of nuxt-edge
2. Comment the steps to reproduce it

Issues that are labeled as pending will not be automatically marked as stale.