Standalone vue-devtools depends on vulnerable version of Electron
bradley-tran opened this issue · 1 comments
bradley-tran commented
Vue devtools version
6.5.1
Link to minimal reproduction
https://stackblitz.com/edit/vitejs-vite-hdegy7?file=package.json
Steps to reproduce & screenshots
Open stackblitz terminal and run npm audit
Or on local machine:
- Install standalone vue-devtools:
npm install --save-dev @vue/devtools - Run
npm audit
What is expected?
The package should not include known vulnerable dependencies.
What is actually happening?
Running npm audit results in:
❯ npm audit
# npm audit report
electron <=22.3.24
Severity: high
Depends on vulnerable versions of @electron/get
Electron vulnerable to out-of-package code execution when launched with arbitrary cwd - https://github.com/advisories/GHSA-7x97-j373-85x5
Electron context isolation bypass via nested unserializable return value - https://github.com/advisories/GHSA-p7v2-p9m8-qqg7
Electron affected by libvpx's heap buffer overflow in vp8 encoding - https://github.com/advisories/GHSA-qqvq-6xgj-jw8g
No fix available
node_modules/electron
@vue/devtools *
Depends on vulnerable versions of electron
node_modules/@vue/devtools
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
No fix available
node_modules/got
@electron/get <=1.14.1
Depends on vulnerable versions of got
node_modules/@electron/get
4 vulnerabilities (3 moderate, 1 high)
Some issues need review, and may require choosing
a different dependency.System Info
System:
OS: Linux 3.10 CentOS Linux 7 (Core)
CPU: (28) x64 Intel(R) Xeon(R) CPU E5-2683 v3 @ 2.00GHz
Memory: 11.52 GB / 62.66 GB
Container: Yes
Shell: 4.2.46 - /bin/bash
Binaries:
Node: 16.20.0 - /usr/local/bin/node
npm: 8.19.4 - /usr/local/bin/npm
npmPackages:
vue: ^3.3.4 => 3.3.4Any additional comments?
No response
yycking commented
add overrides to your package.json
"overrides": {
"electron": "^28.1.0"
},