New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
8 high severity vulnerabilities #1
Comments
Vue 2.7 is actually the latest in the 2.x series. Vue 3 introduced some breaking changes and new features I'm not completely familiar with, and thus decided to start with Vue 2 to get moving fast. That being said there was a lot of shuffling around I did with babel and other build tool versions in order to try to fix this issue with This is definitely something that needs fixing before going live and I'll come back to it as soon as I'm finished with the basic functionalities. If someone wants to contribute this would be a nice first issue so tackle. Also Vue 2 end of life is due by the end of 2023, so making the migration is something we'll have to put in the roadmap. |
Great, let's have this open until we have a fix, this issue is blocking production but we are not there yet. |
I have fixed it here #2 |
Thanks again for the contribution @diazemiliano. But I wanted to go a bit deeper into this issue and here's what I could find. The problem as you correctly point out in the PR seems to be CVE-2021-35065. This is an issue with glob-parent 6.0.0. Now looking closer at the dependency tree after doing an Chokidar is a NodeJS library used as a replacement for Moreover both libraries have dismissed the issue claiming it to be a false positive since apparently Issues with the vulnerability scanners and their databases are not that uncommon and they can occur even after we migrate to vue 3. Regardless of all this, your PR did work without breaking stuff & obviously made the audit pass so I think we can safely close this issue for now. Thanks again! |
Great thanks, yes the vulnerability it's solved in version 6.0.1 |
This web app is using old libraries which have security issues, building financial tools implicates we should do all in our hands to have better security and using old libraries is giving a big advantage to attackers, here is npm output
I never worked with vue or nuxt but just checking on package.json file I see
nuxt: ^2.15.8
and the current version is3.4.1
, same withvue: ^2.7.10
current version is3.2.47
.Please upgrade all libraries, we can't encourage users to use a vulnerable app and risk to be hacked and losing sats
The text was updated successfully, but these errors were encountered: