High vulnerability in dependencies -> copy webpack plugin -> serialize js

[pvijver]

Version

4.5.3

Environment info

  System:
    OS: Windows 10 10.0.18362
    CPU: (8) x64 Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz
  Binaries:
    Node: 14.5.0 - C:\Program Files\nodejs\node.EXE
    Yarn: Not Found
    npm: 6.14.5 - C:\Program Files\nodejs\npm.CMD
  Browsers:
    Chrome: 84.0.4147.125
    Edge: Spartan (44.18362.449.0)
  npmPackages:
    @ant-design-vue/babel-helper-vue-transform-on:  1.0.1
    @types/vue-router: ^2.0.0 => 2.0.0
    @types/vuelidate: ^0.7.13 => 0.7.13
    @vue/babel-helper-vue-jsx-merge-props:  1.0.0
    @vue/babel-plugin-transform-vue-jsx:  1.1.2
    @vue/babel-preset-app:  4.5.3
    @vue/babel-preset-jsx:  1.1.2
    @vue/babel-sugar-functional-vue:  1.1.2
    @vue/babel-sugar-inject-h:  1.1.2
    @vue/babel-sugar-v-model:  1.1.2
    @vue/babel-sugar-v-on:  1.1.2
    @vue/cli-overlay:  4.5.3
    @vue/cli-plugin-babel: ^4.5.3 => 4.5.3
    @vue/cli-plugin-e2e-cypress: ^4.5.3 => 4.5.3
    @vue/cli-plugin-eslint: ^4.5.3 => 4.5.3
    @vue/cli-plugin-router: ^4.5.3 => 4.5.3
    @vue/cli-plugin-typescript: ^4.5.3 => 4.5.3
    @vue/cli-plugin-unit-jest: ^4.5.3 => 4.5.3
    @vue/cli-plugin-vuex:  4.5.3
    @vue/cli-service: ^4.5.3 => 4.5.3
    @vue/cli-shared-utils:  4.5.3
    @vue/component-compiler-utils:  3.2.0
    @vue/eslint-config-prettier: ^6.0.0 => 6.0.0
    @vue/eslint-config-typescript: ^5.0.2 => 5.0.2
    @vue/preload-webpack-plugin:  1.1.2
    @vue/test-utils: 1.0.3 => 1.0.3
    @vue/web-component-wrapper:  1.2.0
    bootstrap-vue: ^2.16.0 => 2.16.0
    eslint-plugin-vue: ^6.2.2 => 6.2.2
    jest-serializer-vue:  2.0.2
    portal-vue: ^2.1.7 => 2.1.7
    typescript: ^3.9.7 => 3.9.7
    vue: ^2.6.11 => 2.6.11
    vue-class-component: ^7.2.5 => 7.2.5
    vue-eslint-parser:  7.1.0
    vue-functional-data-merge:  3.1.0
    vue-hot-reload-api:  2.3.4
    vue-i18n: ^8.20.0 => 8.20.0
    vue-jest:  3.0.6
    vue-loader:  15.9.3 (16.0.0-beta.5)
    vue-multiselect: ^2.1.6 => 2.1.6
    vue-property-decorator: ^9.0.0 => 9.0.0
    vue-router: ^3.4.3 => 3.4.3
    vue-style-loader:  4.1.2
    vue-template-compiler: ^2.6.11 => 2.6.11
    vue-template-es2015-compiler:  1.9.1
    vuelidate: ^0.7.5 => 0.7.5
    vuelidate-error-extractor: ^2.4.1 => 2.4.1
  npmGlobalPackages:
    @vue/cli: Not Found

Steps to reproduce

run 'npm audit' after install of latest vue cli-service

What is expected?

no high severity vulnerabilities should be found

What is actually happening?

serialize-javascript, a dependency of copy-webpackplugin has a high risk vulnerability.

---

@vue/cli-service should use copy-webpack-plugin of version ^6.0.2, since that is the first version that solves the high risk vulnerability.

[tawcarroll]

Is this only used for copying static assets in the public directory? I.e. here:

vue-cli/packages/@vue/cli-service/lib/config/app.js

Line 299 in 879b815

.use(require('copy-webpack-plugin'), [[{

Looks like there will be some breaking changes based on v6.0.0 in the release log: https://github.com/webpack-contrib/copy-webpack-plugin/releases. Namely the input syntax and the fact that ignore is now a part of globOptions.

Is that it?

[sodatea]

There's no actual vulnerability exposed to users. Let's look into how the package is used in copy-webpack-plugin: https://github.com/webpack-contrib/copy-webpack-plugin/blob/96e23150c0a30e8414a4303c727e7248bddecc5e/src/postProcessPattern.js#L67-L77

It's used only for the calculation of a cache key, and no user input is involved. Feel free to ignore it. Or use npm-force-resolutions to force resolve to a newer version of it.

[ravjsdev]

@sodatea
I accept there is no vulnerability exposed to users but i would still prefer this to be fixed asap as its just a dependency update.
npm-force-resolutions is just a monkey patch. This should be fixed at the top level.

[pvijver]

@sodatea That's what I did now, but I agree with @ravjsdev. The Vue CLI package should't pop up on npm audit, it suggests it's unsafe for everyone that does not know the implementation.

[mynameisgenesis]

I agree with @ravjsdev as well. This pops up in our twistlock as vulnerability. It would be awesome if you guys update that package please 😊

[yashha]

An idea for a solution after #5789 was not successful:
webpack-contrib/copy-webpack-plugin#520
We will go for the npm-force-resolutions solution for now.

[peteruithoven]

Isn't using npm-force-resolutions a bad idea because the update introduces breaking changes?

you need to read changelog, there are many breaking changes

From: webpack-contrib/copy-webpack-plugin#520 (comment)

[yashha]

Isn't using npm-force-resolutions a bad idea because the update introduces breaking changes?

You can use npm-force-resolutions to set the resolution of serialize-javascript. This has no breaking changes.
Updating copy-webpack-plugin from 5 to 6 has breaking changes.

[sodatea]

Fixed. See https://github.com/webpack-contrib/copy-webpack-plugin/releases/tag/v5.1.2