Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

how to fix vue-cli-service vulnerability?

I just tried creating a new project with @vue/cli 4.3.1, fresh install of Ubuntu 19.10, npm 6.14.4. When I cd into the project and run npm install, I get the following:

found 1 high severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

Running npm audit fix produces

fixed 0 of 1 vulnerability in 1285 scanned packages
  1 vulnerability required manual review and could not be updated

Upon running npm audit, I get

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ http-proxy                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @vue/cli-service [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @vue/cli-service > webpack-dev-server >                      │
│               │ http-proxy-middleware > http-proxy                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1486                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

Is this expected? Normal? Possible to fix? It worries me that this happens with such a clean environment where nothing malicious was installed, but then I'm also not an npm expert... What should I do here?

like image 544
Tobias Feil Avatar asked May 18 '20 07:05

Tobias Feil


People also ask

How do you solve vue-CLI-service is not recognized as an internal or external command?

To solve the error "'vue-cli-service' is not recognized as an internal or external command, operable program or batch file", install the @vue/cli-service package globally by running npm install -g @vue/cli-service and clear your npm cache.

What is vue-CLI-service?

The CLI ( @vue/cli ) is a globally installed npm package and provides the vue command in your terminal. It provides the ability to quickly scaffold a new project via vue create . You can also manage your projects using a graphical user interface via vue ui .

How do I update npm vulnerabilities?

Run the npm audit fix subcommand to automatically install compatible updates to vulnerable dependencies. Run the recommended commands individually to install updates to vulnerable dependencies. (Some updates may be semver-breaking changes; for more information, see "SEMVER warnings".)


1 Answers

I was setting up a new Vue project and got the same issue. I was able to find a post on Github Vue/Vue-cli where they address the issue:

https://github.com/vuejs/vue-cli/issues/5489#issuecomment-629326414

That post says they are tracking the issue, but as a note:

Note: as it's only used for the local development server, it's not an actual security vulnerability on Vue CLI projects. Feel free to ignore it if @vue/cli-service is the only source of this dependency in your project.

So, I have gone ahead and ignored it for the time being. I hope that when they update the NPM package, it will use an updated http-proxy, which addresses the issue.

According to the tracker itself, it says it is fixed in http-proxy version 1.18.1.

like image 132
Aalok Avatar answered Oct 09 '22 10:10

Aalok