I just tried creating a new project with @vue/cli 4.3.1
, fresh install of Ubuntu 19.10, npm 6.14.4
. When I cd
into the project and run npm install
, I get the following:
found 1 high severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
Running npm audit fix
produces
fixed 0 of 1 vulnerability in 1285 scanned packages
1 vulnerability required manual review and could not be updated
Upon running npm audit
, I get
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ http-proxy │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ No patch available │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @vue/cli-service [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @vue/cli-service > webpack-dev-server > │
│ │ http-proxy-middleware > http-proxy │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1486 │
└───────────────┴──────────────────────────────────────────────────────────────┘
Is this expected? Normal? Possible to fix? It worries me that this happens with such a clean environment where nothing malicious was installed, but then I'm also not an npm expert... What should I do here?
To solve the error "'vue-cli-service' is not recognized as an internal or external command, operable program or batch file", install the @vue/cli-service package globally by running npm install -g @vue/cli-service and clear your npm cache.
The CLI ( @vue/cli ) is a globally installed npm package and provides the vue command in your terminal. It provides the ability to quickly scaffold a new project via vue create . You can also manage your projects using a graphical user interface via vue ui .
Run the npm audit fix subcommand to automatically install compatible updates to vulnerable dependencies. Run the recommended commands individually to install updates to vulnerable dependencies. (Some updates may be semver-breaking changes; for more information, see "SEMVER warnings".)
I was setting up a new Vue project and got the same issue. I was able to find a post on Github Vue/Vue-cli where they address the issue:
https://github.com/vuejs/vue-cli/issues/5489#issuecomment-629326414
That post says they are tracking the issue, but as a note:
Note: as it's only used for the local development server, it's not an actual security vulnerability on Vue CLI projects. Feel free to ignore it if @vue/cli-service is the only source of this dependency in your project.
So, I have gone ahead and ignored it for the time being. I hope that when they update the NPM package, it will use an updated http-proxy, which addresses the issue.
According to the tracker itself, it says it is fixed in http-proxy version 1.18.1.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With