New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependancy in @nuxt/utils : ua-parser-js removed from npm due to hack #9979
Comments
My temporary fix was to use a
|
@willwright Check out this link here faisalman/ua-parser-js#536 They recommend forcing version 0.7.28 but I think 1.0.1 is fine as well. Hope this helps! |
This package probably needs to be removed altogether, no? Will switching versions really help if the attacker has the control over the package? |
The repo is apparently back under control, the compromised versions are 0.7.29, 0.8.0, 1.0.0 Safe versions have now been released: 0.7.30, 0.8.1, 1.0.1 As a very quick fix nuxt utils should be bumped to 0.7.30 and released. |
Could I ask where you've seen this? I've not found anything with a quick google search. Need to handle this vulnerability this morning so need to be sure. |
Check faisalman/ua-parser-js#536 for full details. |
As
Both methods should bump |
Thankyou for the workarounds, but there could be people out there sat with 0.7.29 and not know of the vulnerability. Users have tools that monitor for releases, automatically make PRs etc, by nuxt making a new release with |
Automated audit tools should look for entire sub-dependencies but sure makes sense to alert people upgrading by releasing a patch for nuxt 2.x |
@icepaq It sounded like they were just going to issue a new major version to help with package mangers to resolve to the "correct" version. |
Due to nuxt dependencies issues, it causes that the package manager won't fully install nuxt. issues: nuxt/nuxt#9979
Thanks for your contribution to Nuxt!
Issues that are labeled as |
Versions
Reproduction
Additional Details
Recently the owner of ua-parser-js lost control of their npm account and certain versions of the package were comprimised. In order to prevent further spread of the infected packages they were pulled from npm repository.
This package
@nuxt/utils
has one of the impacted versions marked as a dependancy and as such the package manager won't fully install nuxt.SEE: faisalman/ua-parser-js#536
Steps to reproduce
yarn
What is Expected?
What is actually happening?
The text was updated successfully, but these errors were encountered: