Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerability webpack-dev-server in @nx/webpack (CVE-2024-21536) #28922

Closed
1 of 4 tasks
gurisko opened this issue Nov 13, 2024 · 1 comment
Closed
1 of 4 tasks

Security vulnerability webpack-dev-server in @nx/webpack (CVE-2024-21536) #28922

gurisko opened this issue Nov 13, 2024 · 1 comment
Assignees
@Coly010
Labels
blocked: third-party type: bug

Comments

@gurisko
Copy link

gurisko commented Nov 13, 2024

Current Behavior

┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ Denial of service in http-proxy-middleware             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ http-proxy-middleware                                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <2.0.7                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=2.0.7                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > @nx/next@20.1.0 > @nx/webpack@20.1.0 >             │
│                     │ webpack-dev-server@5.0.4 > http-proxy-middleware@2.0.6 │
│                     │                                                        │
│                     │ . > @nx/webpack@20.1.0 > webpack-dev-server@5.0.4 >    │
│                     │ http-proxy-middleware@2.0.6                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-c7qv-q95q-8v27      │
└─────────────────────┴────────────────────────────────────────────────────────┘

Expected Behavior

No reported vulnerability.

GitHub Repo

No response

Steps to Reproduce

  1. Run pnpm audit (or similar)

Nx Report

Node           : 22.9.0
OS             : linux-x64
Native Target  : x86_64-linux
pnpm           : 9.12.3

nx                 : 20.1.0
@nx/js             : 20.1.0
@nx/jest           : 20.1.0
@nx/linter         : 19.5.0
@nx/eslint         : 20.1.0
@nx/workspace      : 20.1.0
@nx/devkit         : 20.1.0
@nx/eslint-plugin  : 20.1.0
@nx/express        : 20.1.0
@nx/nest           : 20.1.0
@nx/next           : 20.1.0
@nx/node           : 20.1.0
@nx/react          : 20.1.0
@nx/web            : 20.1.0
@nx/webpack        : 20.1.0
typescript         : 5.6.3
---------------------------------------
Registered Plugins:
@nx/next/plugin
@nx/eslint/plugin
@nx/webpack/plugin
---------------------------------------
Community plugins:
@nx-extend/shadcn-ui : 4.1.2
---------------------------------------
The following packages should match the installed version of nx
  - @nx/linter@19.5.0

To fix this, run `nx migrate nx@20.1.0`

Failure Logs



Package Manager Version


No response


Operating System


    

  •  macOS
    • 

  •  Linux
    • 

  •  Windows
    • 

  •  Other (Please specify)
    • 



Additional Information


No response

      		
    

      
  





        



            

              
            

        

      


      
    








      

    



      

  
            


    


    







      

  
      



  

  @FrozenPandaz





  


    

      

  

    

        
    
    

  


      
          
  
      
            Copy link

  

      
    

  


  

      

  
    Collaborator


      

  


  

    

  





      


        


  
    

      
          
The issue from webpack-dev-server has been resolved but a version has not been published yet.


If you want to get rid of this vulnerability for yourself, you can regenerate your lockfile and the version range should pick up the patched version.


When webpack-dev-server releases a new version we can update our dependency.

      		
    

  





        


            

            

              
            

        

      


      

            
  

    
  
    
    

  

  



    












      

  
            

    

      
    

    


      

          @Coly010
Coly010




            closed this as completed


      Jan 31, 2025

    

  


    











  
  

    

      

  





  




  
  

              

  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment


  



  






  
                  




    

  


      
  

    Assignees
  



        

      

        

  
      @Coly010
  
    Coly010
    

      








      


  


  

    Labels
  



    

      

    blocked: third-party

  

    type: bug









      

  

    

        

    Projects
  


        




    None yet




  



      


  

    
  

    Milestone
  


      No milestone





    
      
          
  

    

      

        
          

            
    

    Development
  




              
    
No branches or pull requests







        
      

    

  


      

    

  
      

  

    

      3 participants
    

    

        
          @gurisko 
        
          @FrozenPandaz 
        
          @Coly010