Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[6.x] Update laravel mix and sass loader #5203

Merged
merged 1 commit into from Jan 13, 2020

Conversation

@caiquecastro
Copy link
Contributor

caiquecastro commented Jan 8, 2020

Current laravel mix has a vulnerable dependency

@taylorotwell

This comment has been minimized.

Copy link
Member

taylorotwell commented Jan 8, 2020

Ping @JeffreyWay ... need confirmation on this.

@GrahamCampbell

This comment has been minimized.

Copy link
Member

GrahamCampbell commented Jan 8, 2020

What is the vulnerability, and is it relevant, given that the mix script is not given user input when it is executed?

@GrahamCampbell GrahamCampbell changed the title Update laravel mix and sass loader [6.x] Update laravel mix and sass loader Jan 8, 2020
@GrahamCampbell

This comment has been minimized.

Copy link
Member

GrahamCampbell commented Jan 8, 2020

Though, regardless of if there is a vulnerability, it doesn't hurt for new apps to get the latest version?

@caiquecastro

This comment has been minimized.

Copy link
Contributor Author

caiquecastro commented Jan 9, 2020

The vulnerable package was a version of serialize-javascript ( dependency of laravel-mix#terser-webpack-plugin). I figured out that it's possible to update only the vulnerable dependency. But why not update laravel mix to the latest version?

@bArraxas

This comment was marked as off-topic.

Copy link

bArraxas commented Jan 10, 2020

Hi, how to publish a bug ?
It concerne the impossibility to invoke ftp_connect or Storage::disk('ftp') inside the app.
You can easy verify that by adding a "ftp_connect('test')" inside any recent project at :

  • bootstrap/app.php (it works)
  • public/index.php (before "$response->send();" (line 58) (it works too)
  • everywhere other in laravel project (it fails like if php_ftp.dll was unabled)
    When i use phpinfo()
    at same places, it said all is ok...
    Thanks for your answers.
@GrahamCampbell

This comment has been minimized.

Copy link
Member

GrahamCampbell commented Jan 10, 2020

So, just to be clear, there is no vulnerability?

@taylorotwell taylorotwell merged commit 9b6d1b1 into laravel:master Jan 13, 2020
1 check passed
1 check passed
continuous-integration/styleci/pr The analysis has passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.