Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The latest version depends on vulnerable packages - Please consider upgrading its dependencies. #24

Open
shadowc opened this issue Sep 5, 2023 · 1 comment

Comments

@shadowc
Copy link

shadowc commented Sep 5, 2023

# npm audit report

json5  <1.0.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
No fix available
node_modules/loader-utils/node_modules/json5
  loader-utils  <=1.4.0
  Depends on vulnerable versions of json5
  node_modules/loader-utils
    generic-names  <=1.0.3
    Depends on vulnerable versions of loader-utils
    node_modules/generic-names
      postcss-modules-sync  *
      Depends on vulnerable versions of generic-names
      Depends on vulnerable versions of postcss
      Depends on vulnerable versions of postcss-modules-local-by-default
      Depends on vulnerable versions of postcss-modules-scope
      node_modules/postcss-modules-sync
        @vue/component-compiler  *
        Depends on vulnerable versions of postcss-modules-sync
        node_modules/@vue/component-compiler
          esbuild-vue  *
          Depends on vulnerable versions of @vue/component-compiler
          node_modules/esbuild-vue


postcss  <7.0.36
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
No fix available
node_modules/postcss-modules-local-by-default/node_modules/postcss
node_modules/postcss-modules-scope/node_modules/postcss
node_modules/postcss-modules-sync/node_modules/postcss
  postcss-modules-local-by-default  <=1.2.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-modules-local-by-default
  postcss-modules-scope  <=1.1.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-modules-scope
@apeschar
Copy link
Owner

apeschar commented Sep 8, 2023

I'm not sure whether this is fixed in later Vue 2 versions. It might be worth checking. I'm not planning to do so at this time. PRs are welcome.

However any vulnerabilities won't impact users, unless they are compiling untrusted Vue components.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants