Security update needed

Question

Security update needed

Closed this issue 5 months ago · 8 comments

A security update is needed for "vue-template-compiler" package.

I have gotten this error:

vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS) #54

A vulnerability has been discovered in vue-template-compiler, that allows an attacker to perform XSS via prototype pollution. The attacker could change the prototype chain of some properties such as Object.prototype.staticClass or Object.prototype.staticStyle to execute arbitrary JavaScript code. Vue 2 has reached End-of-Life. This vulnerability has been patched in Vue 3.

harmyderoman commented 5 months ago

Fixed #36

🎉2

Answer 1 · 2024-07-30T18:44:18.000Z

Thanks for highlighting the problem

Answer 2 · 2024-08-06T19:48:00.000Z

Running into this issue as well! Is there anything preventing an upgrade to vue-template-compiler@3?

Answer 3 · 2024-08-06T20:32:04.000Z

@groenroos 2.7.16 is latest

Answer 4 · 2024-08-07T01:08:49.000Z

Ah, right you are - the format of the Dependabot security alert misled me to believe that a fixed version exists:

Since Vue 2 is EOL, is there an opportunity to drop this dependency? Or perhaps replace it with something else?

Answer 5 · 2024-08-07T05:56:10.000Z

@groenroos I'll check if I can can drop it

Answer 6 · 2024-08-13T20:10:02.000Z

Same issue here :/ Is there already an update on this?

Answer 7 · 2024-08-14T10:18:55.000Z

@kubica An update is on the way