Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vue-renderer #6780

Closed
webdawe opened this issue Dec 11, 2019 · 7 comments
Closed

vue-renderer #6780

webdawe opened this issue Dec 11, 2019 · 7 comments
Labels
2.x pending triage

Comments

@webdawe
Copy link

webdawe commented Dec 11, 2019
edited by ghost

Version

v2.10.2

Reproduction link

https://nodesecurity.io/advisories/1426

Steps to reproduce

npm audit

What is expected ?

0 vulnerability

What is actually happening?

found 1 moderate severity vulnerability in 13460 scanned packages
1 vulnerability requires manual review. See the full report for details.
Moderate Cross-Site Scripting

Package serialize-javascript

Patched in >=2.1.1

Dependency of nuxt

Path nuxt > @nuxt/core > @nuxt/vue-renderer > vue-server-renderer
> serialize-javascript

More info https://nodesecurity.io/advisories/1426

Additional comments?

please advise how we can fix it
@ghost ghost added the cmty:bug-report label Dec 11, 2019
@FreekVR
Copy link

FreekVR commented Dec 11, 2019

+1, looks like a version bump in the yarn.lock would be in order as there is an updated version of the package available to mitigate the issue (2.1.1). Doesn't look like there are any breaking changes in the update.

Also, it looks like this would only affect users who install nuxt using yarn at the moment, as there is no package-lock.json for npm users, so for NPM consumers npm update should suffice to mitigate the issue.

Yarn users can work around the issue for now using a custom module resolution in your package.json:
https://yarnpkg.com/lang/en/docs/selective-version-resolutions/

@webdawe
Copy link
Author

webdawe commented Dec 11, 2019
edited

Hey Mate,
NPM got package-lock.json, and this vulnerability inside the package-lock.json
@nuxt/core > @nuxt/vue-renderer > vue-server-renderer> serialize-javascript
So how can we update just serialize-javascript.
Thanks
Anil

@FreekVR
Copy link

FreekVR commented Dec 11, 2019

Hey @webdawe ,

If simply running npm update doesn't work due to a locked dependency in the tree somewhere, as a workaround, you could look into npm-shrinkwrap. Though I have no personal experience with it, as we've been working with yarn for a while now:

https://nodejs.org/en/blog/npm/managing-node-js-dependencies-with-shrinkwrap/

@webdawe
Copy link
Author

webdawe commented Dec 11, 2019

Thanks @FreekVR .

@ThomasR
Copy link

ThomasR commented Dec 13, 2019

Issue will be fixed in Vue with vuejs/vue#10904 or vuejs/vue#10914

@posva
Copy link
Collaborator

posva commented Dec 13, 2019

This has been released as a patch for Vue.

@ocBruno ocBruno mentioned this issue Dec 16, 2019
Closed
5 tasks
@aldarund
Copy link

nuxt 2.11 require vue 2.6.11 so this is fixed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2.x pending triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update vue-server-renderer package and terser-webpack-plugin
6 participants
@ThomasR @FreekVR @aldarund @posva @webdawe @danielroe