Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

High risk vulnerability serialize-javascript package #5784

Closed
ravjsdev opened this issue Aug 12, 2020 · 2 comments
Closed

High risk vulnerability serialize-javascript package #5784

ravjsdev opened this issue Aug 12, 2020 · 2 comments

Comments

@ravjsdev
Copy link

Version

4.5.3

Environment info

when i run `vue info` in my project folder it does not return anything. (it is a vue component library)

Steps to reproduce

run npm audit

What is expected?

Should not produce any high vulnerability errors

What is actually happening?

npm audit reports high security vulnerability in the package serialize-javascript

A single package serialize-javascript is a dependency in @vue/cli-service, @vuepress/core. The version of serialize-javascript that has been used has a high level security vulnerability (as below) - please can you update the dependency to v4.0.0 across the packages?

 High            Remote Code Execution                                                                                                                     
   Package         serialize-javascript                                                                                      
   Patched in      >=3.1.0                                                                                             
   Dependency of   @vue/cli-service [dev]                                                                       
   Path            @vue/cli-service > copy-webpack-plugin >                      
                   serialize-javascript                                                                   
   More info       https://npmjs.com/advisories/1548   

   High            Remote Code Execution                                                              
   Package         serialize-javascript                                                                                                                           
   Patched in      >=3.1.0                                                                                      
   Dependency of   vuepress [dev]                                                                       
   Path            vuepress > @vuepress/core > copy-webpack-plugin >             
                   serialize-javascript                                                                  
   More info       https://npmjs.com/advisories/1548                             

   High            Remote Code Execution                                                      
   Package         serialize-javascript                                          
   Patched in      >=3.1.0                                                                 
   Dependency of   vuepress [dev]                                                        
   Path            vuepress > @vuepress/core > vue-server-renderer >             
                   serialize-javascript                                               
   More info       https://npmjs.com/advisories/1548

Many thanks
@zbianca
Copy link

zbianca commented Aug 12, 2020

Duplicate of #5782

@haoqunjiang
Copy link
Member

Closing in favor of #5782

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@haoqunjiang @zbianca @ravjsdev