Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade webpack-dev-server to resolve security vulnerability #6690

Closed
luc122c opened this issue Sep 12, 2021 · 1 comment
Closed

Upgrade webpack-dev-server to resolve security vulnerability #6690

luc122c opened this issue Sep 12, 2021 · 1 comment

Comments

@luc122c
Copy link

luc122c commented Sep 12, 2021

Version

4.5.13

Reproduction link

github.com/luc122c/emoji-link

Environment info

Environment Info:

  System:
    OS: macOS 11.5.2
    CPU: (12) x64 Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
  Binaries:
    Node: 16.8.0 - /usr/local/bin/node
    Yarn: 1.22.11 - /usr/local/bin/yarn
    npm: 7.21.0 - /usr/local/bin/npm
  Browsers:
    Chrome: 93.0.4577.63
    Edge: Not Found
    Firefox: 91.0.2
    Safari: 14.1.2
  npmPackages:
    @vue/babel-helper-vue-jsx-merge-props:  1.2.1 
    @vue/babel-helper-vue-transform-on:  1.0.2 
    @vue/babel-plugin-jsx:  1.0.7 
    @vue/babel-plugin-transform-vue-jsx:  1.2.1 
    @vue/babel-preset-app:  5.0.0-beta.3 
    @vue/babel-preset-jsx:  1.2.4 
    @vue/babel-sugar-composition-api-inject-h:  1.2.1 
    @vue/babel-sugar-composition-api-render-instance:  1.2.4 
    @vue/babel-sugar-functional-vue:  1.2.2 
    @vue/babel-sugar-inject-h:  1.2.2 
    @vue/babel-sugar-v-model:  1.2.3 
    @vue/babel-sugar-v-on:  1.2.3 
    @vue/cli-overlay:  4.5.13 
    @vue/cli-plugin-babel: ^5.0.0-beta.3 => 5.0.0-beta.3 
    @vue/cli-plugin-eslint: ~4.5.0 => 4.5.13 
    @vue/cli-plugin-router:  4.5.13 
    @vue/cli-plugin-unit-jest: ^5.0.0-beta.3 => 5.0.0-beta.3 
    @vue/cli-plugin-vuex:  4.5.13 
    @vue/cli-service: ~4.5.0 => 4.5.13 
    @vue/cli-shared-utils:  4.5.13 (5.0.0-beta.3)
    @vue/compiler-core:  3.2.11 
    @vue/compiler-dom:  3.2.11 
    @vue/compiler-sfc: ^3.2.9 => 3.2.11 
    @vue/compiler-ssr:  3.2.11 
    @vue/component-compiler-utils:  3.2.2 
    @vue/preload-webpack-plugin:  1.1.2 
    @vue/reactivity:  3.2.11 
    @vue/ref-transform:  3.2.11 
    @vue/runtime-core:  3.2.11 
    @vue/runtime-dom:  3.2.11 
    @vue/shared:  3.2.11 
    @vue/test-utils: ^2.0.0-rc.14 => 2.0.0-rc.14 
    @vue/web-component-wrapper:  1.3.0 
    eslint-plugin-vue: ^7.0.0 => 7.17.0 
    jest-serializer-vue:  2.0.2 
    typescript: ~4.4.2 => 4.4.3 
    vue: ^3.2.9 => 3.2.11 
    vue-eslint-parser:  7.11.0 
    vue-hot-reload-api:  2.3.4 
    vue-jest: ^5.0.0-alpha.10 => 5.0.0-alpha.10 
    vue-loader:  15.9.8 (16.5.0)
    vue-style-loader:  4.1.3 
    vue-template-es2015-compiler:  1.9.1 
  npmGlobalPackages:
    @vue/cli: 4.5.13

Steps to reproduce

All projects with @vue/cli-service > webpack-dev-server > ansi-html will be vulnerable.

What is expected?

No security vulnerability

What is actually happening?

Project is vulnerable via Uncontrolled Resource Consumption in ansi-html

Security advisory here: GHSA-whgm-jr23-g3j9
Resolution here: webpack/webpack-dev-server#3801
@haoqunjiang
Copy link
Member

This doesn't expose any real vulnerability.

We are working on the upgrade though: #6669

@screetBloom screetBloom mentioned this issue Oct 12, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@haoqunjiang @luc122c