Security: Vulnerabilites - 2 High, 3 Moderate
sfcollins-v8m opened this issue · 3 comments
Version
5.0.8
Reproduction link
- minimatch ReDoS vulnerability
- Exposure of Sensitive Information to an Unauthorized Actor in nanoid
- Regular Expression Denial of Service in postcss
- PostCSS line return parsing error
Environment info
System:
OS: Windows 10 10.0.19045
CPU: (16) x64 12th Gen Intel(R) Core(TM) i7-1260P
Binaries:
Node: 14.21.3 - C:\Program Files\nodejs\node.EXE
npmPackages:
@vue/cli-plugin-unit-mocha: 5.0.8 => 5.0.8
@vue/cli-service: 5.0.8 => 5.0.8
vue: 2.7.14 => 2.7.14
Steps to reproduce
Run npm audit on any application using @vue/cli-plugin-unit-mocha and @vue/cli-service - Version 5.0.8
Output:
High minimatch ReDoS vulnerability
Package minimatch
Dependency of @vue/cli-plugin-unit-mocha [dev]
Path @vue/cli-plugin-unit-mocha > mocha > glob > minimatch
More info GHSA-f8q6-p94x-37v3
High minimatch ReDoS vulnerability
Package minimatch
Patched in >=3.0.5
Dependency of @vue/cli-plugin-unit-mocha [dev]
Path @vue/cli-plugin-unit-mocha > mocha > minimatch
More info GHSA-f8q6-p94x-37v3
Moderate Exposure of Sensitive Information to an Unauthorized Actor in nanoid
Package nanoid
Patched in >=3.1.31
Dependency of @vue/cli-plugin-unit-mocha [dev]
Path @vue/cli-plugin-unit-mocha > mocha > nanoid
More info GHSA-qrpm-p2h7-hrv2
Moderate PostCSS line return parsing error
Package postcss
Patched in >=8.4.31
Dependency of @vue/cli-service [dev]
Path @vue/cli-service > @vue/component-compiler-utils > postcss
More info GHSA-7fh5-64p2-3v2j
Moderate PostCSS line return parsing error
Package postcss
Patched in >=8.4.31
Dependency of @vue/cli-service [dev]
Path @vue/cli-service > @vue/vue-loader-v15 >@vue/component-compiler-utils > postcss
More info GHSA-7fh5-64p2-3v2j
What is expected?
There should not be any vulnerabilities
What is actually happening?
There are existing vulnerabilities
aight cuh, you gotta switch the moderators with the crypto currency so that its 42 High and 3 moderate
At this moment last pr that was accepted is:
merged by @sodatea into dev from dependabot/npm_and_yarn/loader-utils-1.4.1 on Nov 9, 2022
In README you can read that Vue CLI is now in maintenance mode, so you should migrate and remove this package.
is there a solution for this yet?