vulnerabilities with got, git-clone, and http-cache-semantics

Question

vulnerabilities with got, git-clone, and http-cache-semantics

Tri-Vi opened this issue a year ago · 1 comments

Version

5.0.8

Environment info

Dev and Production

Steps to reproduce

npm audit

What is expected?

0 vunerabilitty

What is actually happening?

I am writing to report vulnerabilities in dependencies of Vue CLI that have been identified through npm audit. These vulnerabilities pose a risk to the security of Vue CLI and projects using it.

git-clone:

Severity: High
Vulnerability: Command injection (GHSA-8jmw-wjr8-2x66)
Affected Versions: 0.1.0 (used by download-git-repo in Vue CLI)
Recommended Action: Update to version 0.2.0 or newer, if available.

got:

Severity: High
Vulnerability: Allows a redirect to a UNIX socket (GHSA-pfrx-2q88-qq97)
Affected Versions: <=11.8.3 (used by download in Vue CLI)
Recommended Action: Update to version 14.3.0 or newer, if available.

http-cache-semantics:

Severity: High
Vulnerability: Regular Expression Denial of Service (GHSA-rc47-6667-2j5j)
Affected Versions: <4.1.1 (used by cacheable-request in Vue CLI)
Recommended Action: Update to version 4.1.1 or newer, if available.

I kindly request that these vulnerabilities be addressed in the next release of Vue CLI

Answer 1 · 2024-05-28T21:53:36.000Z

Closing this ticket as resolved