Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

2 low vulnerabilities in @vue/cli-plugin-e2e-cypress #5413

Closed
bdllhdrss3 opened this issue Apr 21, 2020 · 7 comments
Closed

2 low vulnerabilities in @vue/cli-plugin-e2e-cypress #5413

bdllhdrss3 opened this issue Apr 21, 2020 · 7 comments
Labels
upstream

Comments

@bdllhdrss3
Copy link

Version

4.3.1

Reproduction link

https://github.com/bdllhdrss3/raedar_web

Screenshot (13)

Environment info

System:
    OS: Windows 10 10.0.18363
    CPU: (4) x64 Intel(R) Core(TM) i5-4210U CPU @ 1.70GHz  
  Binaries:
    Node: 12.16.2 - C:\Program Files\nodejs\node.EXE       
    Yarn: 1.22.4 - C:\Program Files (x86)\Yarn\bin\yarn.CMD
    npm: 6.14.4 - C:\Program Files\nodejs\npm.CMD
  Browsers:
    Edge: 44.18362.449.0
  npmPackages:
    @vue/babel-helper-vue-jsx-merge-props:  1.0.0
    @vue/babel-plugin-transform-vue-jsx:  1.1.2
    @vue/babel-preset-app:  4.3.1
    @vue/babel-preset-jsx:  1.1.2
    @vue/babel-sugar-functional-vue:  1.1.2
    @vue/babel-sugar-inject-h:  1.1.2
    @vue/babel-sugar-v-model:  1.1.2
    @vue/babel-sugar-v-on:  1.1.2
    @vue/cli-overlay:  4.3.1
    @vue/cli-plugin-babel: ^4.3.0 => 4.3.1
    @vue/cli-plugin-e2e-cypress: ~4.3.0 => 4.3.1
    @vue/cli-plugin-eslint: ^4.3.0 => 4.3.1
    @vue/cli-plugin-pwa: ^4.3.0 => 4.3.1
    @vue/cli-plugin-router: ^4.3.0 => 4.3.1
    @vue/cli-plugin-unit-jest: ^4.3.0 => 4.3.1
    @vue/cli-plugin-vuex: ^4.3.0 => 4.3.1
    @vue/cli-service: ^4.3.0 => 4.3.1
    @vue/cli-shared-utils:  4.3.1
    @vue/component-compiler-utils:  3.1.2
    @vue/eslint-config-prettier: ^6.0.0 => 6.0.0
    @vue/preload-webpack-plugin:  1.1.1
    @vue/test-utils: 1.0.0-beta.31 => 1.0.0-beta.31
    @vue/web-component-wrapper:  1.2.0
    eslint-plugin-vue: ^6.2.2 => 6.2.2
    jest-serializer-vue:  2.0.2
    vue: ^2.6.11 => 2.6.11
    vue-eslint-parser:  7.0.0
    vue-hot-reload-api:  2.3.4
    vue-jest:  3.0.5
    vue-loader:  15.9.1
    vue-router: ^3.1.6 => 3.1.6
    vue-style-loader:  4.1.2
    vue-template-compiler: ^2.6.11 => 2.6.11
    vue-template-es2015-compiler:  1.9.1
    vuex: ^3.1.3 => 3.1.3
  npmGlobalPackages:
    @vue/cli: Not Found

Steps to reproduce

-clone repo
-yarn install
-yarn audit

What is expected?

it should produce zero vulnerabilities with yarn audit

What is actually happening?

if I audit with yarn audit, it is producing 2 low vulnerabilities in the project,after installing cypress
with yarn add @vue/cli-plugin-e2e-cypress
@LinusBorg LinusBorg mentioned this issue Apr 24, 2020
Closed
@spinningarrow
Copy link

Looks like it's coming from Cypress: cypress-io/cypress#6793

@zhao-li
Copy link

zhao-li commented Aug 14, 2020

This PR (#5787) should address this issue as well.

@zhao-li zhao-li mentioned this issue Aug 14, 2020
Closed
10 tasks
@gustawdaniel
Copy link

Now we have three:

                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @vue/cli-plugin-e2e-cypress [dev]                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @vue/cli-plugin-e2e-cypress > cypress > extract-zip > mkdirp │
│               │ > minimist                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @vue/cli-plugin-e2e-cypress [dev]                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @vue/cli-plugin-e2e-cypress > cypress > minimist             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.19                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @vue/cli-plugin-e2e-cypress [dev]                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @vue/cli-plugin-e2e-cypress > cypress > lodash               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1523                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 3 low severity vulnerabilities in 1369 scanned packages

@gustawdaniel
Copy link

I created a pull requests:

that fixing both problems with jest and cypress integration security warnings.

@gustawdaniel
Copy link

Can I please @sodatea for review and merge of these changes.

@rtrigoso
Copy link

rtrigoso commented Feb 3, 2022

waiting on the merge of this pull?

@sodatea
Copy link
Member

sodatea commented Feb 17, 2022

Fixed in v5.

@sodatea sodatea closed this as completed Feb 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
upstream
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@LinusBorg @spinningarrow @zhao-li @rtrigoso @sodatea @gustawdaniel @bdllhdrss3