Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vue-server-renderer security advisory #11588

Closed
zoellner opened this issue Aug 11, 2020 · 5 comments
Closed

vue-server-renderer security advisory #11588

zoellner opened this issue Aug 11, 2020 · 5 comments

Comments

@zoellner
Copy link

Version

2.6.11

Reproduction link

https://codesandbox.io/s/naughty-shape-p1plw?fontsize=14&hidenavigation=1&theme=dark

Steps to reproduce

npm install vue-server-renderer 
npm audit

What is expected?

Audit passes

What is actually happening?

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Remote Code Execution                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ serialize-javascript                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ vue-server-renderer                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vue-server-renderer > serialize-javascript                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1548                            │
@posva
Copy link
Member

posva commented Aug 11, 2020

#11434

Don't open automated issues

@posva posva closed this as completed Aug 11, 2020
@zoellner
Copy link
Author

ok. would have been helpful if there was an issue (not just a PR for this). was looking for it first.

@posva
Copy link
Member

posva commented Aug 11, 2020

There are many... https://github.com/vuejs/vue/issues?q=is%3Aissue+serialize+is%3Aclosed
You even downvoted my comment at #11427

Screenshot 2020-08-11 at 20 54 02

So you deliberately opened a duplicate issue. An issue or a PR have the same tracking and discussions abilities

@zoellner
Copy link
Author

no, I looked again afterwards and discovered that there's a few closed ones. looks like you keep closing all related issues. so no wonder people keep opening them.
It's about discoverability, not discussion ability

@posva
Copy link
Member

posva commented Aug 11, 2020
edited

So you didn't look at first like you said? I took the time to link the issues each time.
re discoverability: Searching for serialize-javascript in issues gives you the results 🙂

@vuejs vuejs locked as spam and limited conversation to collaborators Aug 11, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@posva @zoellner