@vue/cli-service dev dependency causing issue in github- potential security vulnerability

[frankos333]

Version

5.0.0-alpha.8

Environment info

Environment Info:

  System:
    OS: Windows 10 10.0.19042
    CPU: (16) x64 AMD Ryzen 7 4800H with Radeon Graphics
  Binaries:
    Node: 14.15.0 - C:\Program Files\nodejs\node.EXE
    Yarn: Not Found
    npm: 6.14.8 - C:\Program Files\nodejs\npm.CMD
  Browsers:
    Chrome: Not Found
    Edge: Spartan (44.19041.423.0), Chromium (89.0.774.57)
  npmPackages:
    @vue/babel-helper-vue-jsx-merge-props:  1.0.0
    @vue/babel-helper-vue-transform-on:  1.0.0-rc.2
    @vue/babel-plugin-jsx:  1.0.0-rc.3
    @vue/babel-plugin-transform-vue-jsx:  1.1.2
    @vue/babel-preset-app:  4.5.6
    @vue/babel-preset-jsx:  1.1.2
    @vue/babel-sugar-functional-vue:  1.1.2
    @vue/babel-sugar-inject-h:  1.1.2
    @vue/babel-sugar-v-model:  1.1.2
    @vue/babel-sugar-v-on:  1.1.2
    @vue/cli-overlay:  4.5.6
    @vue/cli-plugin-babel: ~4.5.0 => 4.5.6
    @vue/cli-plugin-eslint: ~4.5.0 => 4.5.6
    @vue/cli-plugin-router: ~4.5.0 => 4.5.6
    @vue/cli-plugin-unit-jest: ^4.5.9 => 4.5.9
    @vue/cli-plugin-vuex: ~4.5.0 => 4.5.6
    @vue/cli-service: ~4.5.0 => 4.5.6
    @vue/cli-shared-utils:  4.5.6 (4.5.9)
    @vue/component-compiler-utils:  3.2.0
    @vue/eslint-config-airbnb: ^5.0.2 => 5.1.0
    @vue/preload-webpack-plugin:  1.1.2
    @vue/test-utils: ^1.1.3 => 1.1.3
    @vue/web-component-wrapper:  1.2.0
    babel-helper-vue-jsx-merge-props:  2.0.3
    eslint-plugin-vue: ^6.2.2 => 6.2.2
    jest-serializer-vue:  2.0.2
    vue: ^2.6.12 => 2.6.12
    vue-cli-plugin-element: ~1.0.1 => 1.0.1
    vue-eslint-parser:  7.1.0
    vue-hot-reload-api:  2.3.4
    vue-i18n: ^8.24.2 => 8.24.2
    vue-jest:  3.0.7
    vue-loader:  15.9.3 (16.1.2)
    vue-router: ^3.5.1 => 3.5.1
    vue-style-loader:  4.1.2
    vue-template-compiler: ^2.6.11 => 2.6.12
    vue-template-es2015-compiler:  1.9.1
    vuex: ^3.6.2 => 3.6.2
  npmGlobalPackages:
    @vue/cli: Not Found

Steps to reproduce

Open a vue project with those dependencies and upload it to github:

  "dependencies": {
    "@vue/cli-plugin-unit-jest": "^4.5.9",
    "@vue/test-utils": "^1.1.3",
    "axios": "^0.21.1",
    "core-js": "^3.8.3",
    "element-ui": "^2.15.0",
    "vue": "^2.6.12",
    "vue-i18n": "^8.24.2",
    "vue-router": "^3.5.1",
    "vuex": "^3.6.2"
  },
  "devDependencies": {
    "@vue/cli-plugin-babel": "~4.5.0",
    "@vue/cli-plugin-eslint": "~4.5.0",
    "@vue/cli-plugin-router": "~4.5.0",
    "@vue/cli-plugin-vuex": "~4.5.0",
    "@vue/cli-service": "~4.5.0",
    "@vue/eslint-config-airbnb": "^5.0.2",
    "babel-eslint": "^10.1.0",
    "babel-plugin-component": "^1.1.1",
    "eslint": "^6.7.2",
    "eslint-plugin-import": "^2.20.2",
    "eslint-plugin-vue": "^6.2.2",
    "node-sass": "^4.14.1",
    "sass-loader": "^8.0.2",
    "vue-cli-plugin-element": "~1.0.1",
    "vue-template-compiler": "^2.6.11"
  }

---

Our project is built with vue-js, and the dev dependency of vue-cli service has a required dependency called 'ssri'.
it currently uses 6.0.1 version while the updated version is 8.0.1.
This shows us a vulnerability alert on github saying:
We found potential security vulnerabilities in your dependencies.
Dependencies defined in these manifest files have known security vulnerabilities and should be updated.
it is important to mention that the vulnerable dependency is located in the package-lock.json file.
what can we do about it ?

[sodatea]

Duplicate of #6375