Vulnerability on vue-server-renderer

[Berkmann18]

Version

2.6.10

Reproduction link

https://github.com/meditatingdragon/starter-gridsome-vuetify

Steps to reproduce

Have gridsome as a dependency (or whatever depends on vue-server-renderer) and observe GitHub and Snyk.

What is expected?

No vulnerabilities

What is actually happening?

XSS vulnerability caused by an outdated version of serialize-javascript (i.e. older than v2.1.1).

---

I tried highlighting this issue in the discord server but it didn't seem that people cared.
https://npmjs.com/advisories/1426

[LinusBorg]

It seems this doesn't affect us since the advisory states:

This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions.

... and vue-server-renderer runs in a Node.js environment.

I may be missing something, and of course this dependency should be updated - but there doesn'T seem to be any immediate risk for users of this package.

[Berkmann18]

There may be no immediate risk, however having GitHub, Snyk and NPM mention this vulnerability (which doesn't play nice with InfoSec folks who I work for) is kinda annoying.

I mentioned to others that I didn't think it was going to affect the website I'm working on but I'll rather not have NPM+Snyk+GH being noisy you know.

[LinusBorg]

Of course, I understand that. It was just important to me that readers are aware of the low risk level.

[posva]

Duplicate of #10914

[Berkmann18]

@posva How is the issue a duplicate of the PR?