Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm audit is showing latest laravel-mix as using an insecure version of semver (7.3.5) #3364

Open
darrynten opened this issue Jun 23, 2023 · 6 comments
Open

npm audit is showing latest laravel-mix as using an insecure version of semver (7.3.5) #3364

darrynten opened this issue Jun 23, 2023 · 6 comments

Comments

@darrynten
Copy link

darrynten commented Jun 23, 2023
edited

  • Laravel Mix Version: 6.0.49 (npm list --depth=0)
  • Node Version (node -v): v18.2.0
  • NPM Version (npm -v): 8.9.0
  • OS: macOS

Description:

npm audit is showing latest laravel-mix as using an insecure version of semver (7.3.5)

Steps To Reproduce:

Run npm audit on any laravel-mix project using 6.0.49 or lower

Workaround:

npm audit --omit=dev will pass since laravel-mix is a dev dependency
@hebbet hebbet mentioned this issue Jun 26, 2023
Open
@arborrow
Copy link

arborrow commented Jul 9, 2023
edited

Just adding some more details about the packages:
npm list semver
├─┬ laravel-mix@6.0.49
│ ├─┬ babel-loader@8.3.0
│ │ └─┬ make-dir@3.1.0
│ │ └── semver@6.3.0
│ ├─┬ css-loader@5.2.7
│ │ └── semver@7.5.4 deduped
│ ├─┬ postcss-loader@6.2.1
│ │ └── semver@7.5.4 deduped
│ ├── semver@7.5.4
│ └─┬ webpack-notifier@1.15.0
│ └─┬ node-notifier@9.0.1
│ └── semver@7.5.4 deduped

@arborrow
Copy link

arborrow commented Jul 9, 2023

I think we may be able to resolve this bumping babel-loader to the latest version. It looks like make-dir which has the vulnerable version of semver was removed from babel-loader's package.json file. I did not see anything about any breaking changes from v8 to v9 in https://github.com/babel/babel-loader/releases

@jonathan-gruenhut
Copy link

Is there any movement on this?

@arborrow
Copy link

arborrow commented Dec 31, 2023
edited

@jonathan-gruenhut - I think so, I believe the vulnerable version was 7.3.5 and I am now seeing 7.5.4 on my installs:

-- laravel-mix@6.0.49
  +-- babel-loader@8.3.0
  | `-- make-dir@3.1.0
  |   `-- semver@6.3.1 deduped
  +-- css-loader@5.2.7
  | `-- semver@7.5.4
  +-- postcss-loader@6.2.1
  | `-- semver@7.5.4
  +-- semver@7.5.4
  `-- webpack-notifier@1.15.0
    `-- node-notifier@9.0.1
      `-- semver@7.5.4

If I am reading https://nvd.nist.gov/vuln/detail/CVE-2022-25883 correctly, it indicates that the issue was resolved in 7.5.2 (and 6.3.1). Are you still seeing an issue when you run npm audit? Have you tried doing an npm upgrade?

@arborrow
Copy link

My +1 to close this issue as resolved

@jonathan-gruenhut
Copy link

Resolved on audit fix, thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@arborrow @darrynten @jonathan-gruenhut