-
-
Notifications
You must be signed in to change notification settings - Fork 6.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
High vulnerability in dependencies -> copy webpack plugin -> serialize js #5782
Comments
Is this only used for copying static assets in the
Looks like there will be some breaking changes based on v6.0.0 in the release log: https://github.com/webpack-contrib/copy-webpack-plugin/releases. Namely the input syntax and the fact that ignore is now a part of globOptions. Is that it? |
There's no actual vulnerability exposed to users. Let's look into how the package is used in It's used only for the calculation of a cache key, and no user input is involved. Feel free to ignore it. Or use |
@sodatea |
I agree with @ravjsdev as well. This pops up in our twistlock as vulnerability. It would be awesome if you guys update that package please 😊 |
An idea for a solution after #5789 was not successful: |
Isn't using
|
You can use npm-force-resolutions to set the resolution of serialize-javascript. This has no breaking changes. |
By switching to a fork of copy-webpack-plugin v5, so that we can circumvent the issue in a non-semver-breaking way. Fixes vuejs#5782
…encies While that should not have any effect on us[1], it is still not great having it show up in our alerts as it leads to us becoming less sensitive to them. [1]: vuejs/vue-cli#5782 (comment) Change-Id: If3f6ffa6402d5430a1a90f98a4229bfbd8e4ce83
* Update Wikibase from branch 'master' to ce8ba0d90005e7cdef72b3195fb05b8a53af278d - Merge "bridge: Fix false-positive high-level vulnerability in our dev dependencies" - bridge: Fix false-positive high-level vulnerability in our dev dependencies While that should not have any effect on us[1], it is still not great having it show up in our alerts as it leads to us becoming less sensitive to them. [1]: vuejs/vue-cli#5782 (comment) Change-Id: If3f6ffa6402d5430a1a90f98a4229bfbd8e4ce83
Version
4.5.3
Environment info
Steps to reproduce
run 'npm audit' after install of latest vue cli-service
What is expected?
no high severity vulnerabilities should be found
What is actually happening?
serialize-javascript, a dependency of copy-webpackplugin has a high risk vulnerability.
@vue/cli-service should use copy-webpack-plugin of version ^6.0.2, since that is the first version that solves the high risk vulnerability.
The text was updated successfully, but these errors were encountered: