glob-parent vulnerability issue with with @vue/cli-service@4.5.13

[mtermoul]

### Version 4.5.13

Environment info

System:
    OS: macOS Mojave 10.14.6
    CPU: (12) x64 Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz
  Binaries:
    Node: 10.16.0 - /usr/local/bin/node
    Yarn: Not Found
    npm: 7.11.1 - /usr/local/bin/npm
  Browsers:
    Chrome: 91.0.4472.114
    Edge: Not Found
    Firefox: 88.0.1
    Safari: 13.1
npmPackages:
    @casl/vue: ^1.2.2 => 1.2.2 
    @vue/babel-helper-vue-jsx-merge-props:  1.2.1 
    @vue/babel-helper-vue-transform-on:  1.0.2 
    @vue/babel-plugin-jsx:  1.0.6 
    @vue/babel-plugin-transform-vue-jsx:  1.2.1 
    @vue/babel-preset-app:  4.5.13 
    @vue/babel-preset-jsx:  1.2.4 
    @vue/babel-sugar-composition-api-inject-h:  1.2.1 
    @vue/babel-sugar-composition-api-render-instance:  1.2.4 
    @vue/babel-sugar-functional-vue:  1.2.2 
    @vue/babel-sugar-inject-h:  1.2.2 
    @vue/babel-sugar-v-model:  1.2.3 
    @vue/babel-sugar-v-on:  1.2.3 
    @vue/cli-overlay:  4.5.13 
    @vue/cli-plugin-babel: ~4.5.13 => 4.5.13 
    @vue/cli-plugin-e2e-cypress: ~4.5.0 => 4.5.13 
    @vue/cli-plugin-eslint: ^3.1.1 => 3.1.1 
    @vue/cli-plugin-router:  4.5.13 
    @vue/cli-plugin-unit-jest: ^4.5.13 => 4.5.13 
    @vue/cli-plugin-vuex:  4.5.13 
    @vue/cli-service: ^4.5.13 => 4.5.13 
    @vue/cli-shared-utils:  4.5.13 (3.12.1)
    @vue/component-compiler-utils:  3.2.2 
    @vue/eslint-config-prettier: ^6.0.0 => 6.0.0 
    @vue/preload-webpack-plugin:  1.1.2 
    @vue/web-component-wrapper:  1.3.0 
    eslint-plugin-vue: ^6.2.2 => 6.2.2 (4.7.1)
    jest-serializer-vue:  2.0.2 
    vue: ^2.6.11 => 2.6.14 
    vue-chartjs: ^3.4.2 => 3.5.1 
    vue-cli-plugin-vuetify: ^2.0.5 => 2.4.1 
    vue-eslint-parser:  7.6.0 (2.0.3)
    vue-hot-reload-api:  2.3.4 
    vue-jest:  3.0.7 
    vue-json-excel: ^0.2.98 => 0.2.99 
    vue-loader:  15.9.7 (16.2.0)
    vue-router: ^3.1.6 => 3.5.2 
    vue-style-loader:  4.1.3 
    vue-template-compiler: ^2.6.11 => 2.6.14 
    vue-template-es2015-compiler:  1.9.1 
    vue-the-mask: ^0.11.1 => 0.11.1 
    vuetify: ~2.4.0 => 2.4.11 
    vuetify-loader: ^1.3.0 => 1.7.2 
    vuex: ^3.1.3 => 3.6.2 
  npmGlobalPackages:
    @vue/cli: 4.5.13

Steps to reproduce

npm audit

What is expected?

@vue/cli-service should depend on glob-parent version 5.1.2 or higher

What is actually happening?

npm audit is saying that
\glob-parent <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751

[alimony]

webpack stopped depending on a vulnerable version of watchpack in version 5.38: https://github.com/webpack/webpack/releases/tag/v5.38.0 Before that it used watchpack 2.0.0 that used chokidar, in version 2.2.0 they switched over to native listeners.

[dosstx]

Can someone explain the above to me? Then, how do I fix this issue?

[Tofandel]

By switching to @vue/cli-service^5.0.0-beta.2 and latest webpack... None of the vulnerability matter anyways unless you're running a node-js server with those packages. So it might matter if using nuxt

[N1GHTR4NG3R]

Can you explain how too switch please.

Currently I have just re-installed Vue, and am getting 9 Moderate security risks, All of which are Regular expression denial of service which are dependencies of the following:

@vue/cli-plugin-eslint [dev]
@vue/cli-plugin-typescript [dev]
@vue/cli-service [dev]
With the path pointing too chokidar.

Then the same again but the path pointing too glob-parent.

I also have 3 node-sass High Priority errors with node-sass relating to issue #6467

In regards to running a node-js server, There is an awful lot of people that run node-js servers, so saying it doesn't matter isn't true.

[haoqunjiang]

https://overreacted.io/npm-audit-broken-by-design/

NPM audit is broken. This is not a real vulnerability in almost every use case of Vue CLI. So I'm closing this issue.

[dosstx]

@Tricky-Ricky I fixed it by simply updating vue cli to latest 4x version (I didn't update to 5x).

If there are still some threats, you can also do an 'npm force resolutions' hot fix .

I agree with @sodatea about npm being broken, but it's impossible to convince security teams that and we often can't simply dimiss it. This is nothing against Vue-CLI, it's just the sad state of affairs when using npm audit.