Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

yargs-parser vulnerability (@vue/cli-service > webpack-dev-server > yargs > yargs-parser) #5439

Closed
mashpie opened this issue May 1, 2020 · 9 comments
Closed

yargs-parser vulnerability (@vue/cli-service > webpack-dev-server > yargs > yargs-parser) #5439

mashpie opened this issue May 1, 2020 · 9 comments

Comments

@mashpie
Copy link

mashpie commented May 1, 2020

Version

4.3.1

Environment info

Environment Info:

  System:
    OS: macOS 10.15.4
    CPU: (8) x64 Intel(R) Core(TM) i7-7820HQ CPU @ 2.90GHz
  Binaries:
    Node: 10.16.2 - ~/.nvm/versions/node/v10.16.2/bin/node
    Yarn: 1.21.1 - ~/.nvm/versions/node/v10.16.2/bin/yarn
    npm: 6.9.0 - ~/.nvm/versions/node/v10.16.2/bin/npm

truncated (nginx errors with request uri to large)

Steps to reproduce

run yarn audit in any newly created or exiting vue-cli project

What is expected?

should not report any issues

What is actually happening?

reports:

yarn audit v1.21.1
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @vue/cli-service                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @vue/cli-service > webpack-dev-server > yargs > yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1500                        │
└───────────────┴──────────────────────────────────────────────────────────────┘

please upgrade webpack-dev-server as soon their issue got resolved webpack/webpack-dev-server#2559.

Meanwhile a workaround with yarn resolution works by adding:

  "resolutions": {
    "@vue/cli-service/**/yargs-parser": "^13.1.2"
  },
@dosstx
Copy link

dosstx commented May 1, 2020

Anyone have a work-around for NPM instead of Yarn? Assuming the syntax may be different than what @mashpie posted above...

@mashpie
Copy link
Author

mashpie commented May 1, 2020

@dosstx you might consider https://www.npmjs.com/package/npm-force-resolutions

still:

  • dev-server is run on local dev only (should be)
  • resolutions is just a temporary workaround to silence auditing alerts
  • fix should apply to webpack-dev-server

yet no issues on several "patched" projects...

@dagostindiogo
Copy link

Same problem.

@haoqunjiang
Copy link
Member

Should have been fixed with the release of webpack-dev-server 3.11.0

@diegogallovich
Copy link

I just wrote an article on this issue's fix. Check it out on medium https://medium.com/@dieguiviti/yargs-parser-vulnerability-fix-5ab421663d22

@lartheon
Copy link

I just wrote an article on this issue's fix. Check it out on medium https://medium.com/@dieguiviti/yargs-parser-vulnerability-fix-5ab421663d22

broken link, can't see the article on your profile either

@grouchal
Copy link

grouchal commented Dec 21, 2020
edited
Loading

This is still not fixed with version 4.5.9

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @vue/cli-plugin-unit-jest [dev]                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @vue/cli-plugin-unit-jest > ts-jest > yargs-parser           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1500                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

@grouchal
Copy link

Not sure why this issue is closed - should I raise a new one?

@grouchal
Copy link

Have created #6160

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@mashpie @grouchal @haoqunjiang @dosstx @dagostindiogo @diegogallovich @lartheon