Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: Vulnerabilites - 2 High, 3 Moderate #7450

Open
sfcollins-v8m opened this issue Feb 26, 2024 · 2 comments
Open

Security: Vulnerabilites - 2 High, 3 Moderate #7450

sfcollins-v8m opened this issue Feb 26, 2024 · 2 comments

Comments

@sfcollins-v8m
Copy link

Version

5.0.8

Reproduction link

Environment info

 System:
    OS: Windows 10 10.0.19045
    CPU: (16) x64 12th Gen Intel(R) Core(TM) i7-1260P      
  Binaries:
    Node: 14.21.3 - C:\Program Files\nodejs\node.EXE       
  npmPackages:
    @vue/cli-plugin-unit-mocha: 5.0.8 => 5.0.8
    @vue/cli-service: 5.0.8 => 5.0.8
    vue: 2.7.14 => 2.7.14

Steps to reproduce

Run npm audit on any application using @vue/cli-plugin-unit-mocha and @vue/cli-service - Version 5.0.8

Output:

High minimatch ReDoS vulnerability
Package minimatch
Dependency of @vue/cli-plugin-unit-mocha [dev]
Path @vue/cli-plugin-unit-mocha > mocha > glob > minimatch
More info GHSA-f8q6-p94x-37v3

High minimatch ReDoS vulnerability
Package minimatch
Patched in >=3.0.5
Dependency of @vue/cli-plugin-unit-mocha [dev]
Path @vue/cli-plugin-unit-mocha > mocha > minimatch
More info GHSA-f8q6-p94x-37v3

Moderate Exposure of Sensitive Information to an Unauthorized Actor in nanoid
Package nanoid
Patched in >=3.1.31
Dependency of @vue/cli-plugin-unit-mocha [dev]
Path @vue/cli-plugin-unit-mocha > mocha > nanoid
More info GHSA-qrpm-p2h7-hrv2

Moderate PostCSS line return parsing error
Package postcss
Patched in >=8.4.31
Dependency of @vue/cli-service [dev]
Path @vue/cli-service > @vue/component-compiler-utils > postcss
More info GHSA-7fh5-64p2-3v2j

Moderate PostCSS line return parsing error
Package postcss
Patched in >=8.4.31
Dependency of @vue/cli-service [dev]
Path @vue/cli-service > @vue/vue-loader-v15 >@vue/component-compiler-utils > postcss
More info GHSA-7fh5-64p2-3v2j

What is expected?

There should not be any vulnerabilities

What is actually happening?

There are existing vulnerabilities
@AdrianMatta15
Copy link

aight cuh, you gotta switch the moderators with the crypto currency so that its 42 High and 3 moderate

@gustawdaniel
Copy link

At this moment last pr that was accepted is:

#7324

merged by @sodatea into dev from dependabot/npm_and_yarn/loader-utils-1.4.1 on Nov 9, 2022

In README you can read that Vue CLI is now in maintenance mode, so you should migrate and remove this package.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gustawdaniel @sfcollins-v8m @AdrianMatta15