-
-
Notifications
You must be signed in to change notification settings - Fork 5.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nuxt2 Security advisories #9284
Comments
I understand that for most projects these are false positives, but all those false positives are still causing a lot of vulnerability warnings (currently the 145 shown below) that we need to weed through in an attempt to identify if there are any actual security issues. There's got to be a better way to handle this. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
@danielroe - I know how to add expandable details to github issues (it's a pretty great feature), so if I had wanted my last three comments to have the vulnerability warnings collapsed I would have done so. Normally, with that much text to wade through, I would absolutely have made them expandable. Which brings us to why I didn't collapse them when I made my previous responses and why I've reverted your edits to collapse them. 100% of my last three comments are about the problems that simply having these vulnerability warnings in our audits —vulnerability warnings which we cannot collapse in our audits— can cause, even if these warning are just false positives. The problem my comments are addressing are precisely because there are so many warnings to wade through. While, for many NuxtJS projects, the intent of the warnings are moot (because they're false positives), because this transitive dependency is used so extensively throughout NuxtJS, the decision to not identify a fix that will actually resolve the resulting warnings is itself overwhelmingly problematic. Thus, I very intentionally gathered, formatted, and included, in an equally intentionally, uncollapsed format, that overwhelming list of vulnerability warnings so as to highlight just how overwhelmingly problematic the list of vulnerability warnings is. [edited to add] |
@metasean I understand you're frustrated. This is something we all experience at the moment when running As it happens, we do plan to upgrade Nuxt to PostCSS 8 as soon as practicable, though as it is a breaking change it needs to be done carefully and with forethought. You can follow #8087 for updates. Finally, I've minimised your comments again to ensure this issue remains readable and useful for others. Making your point in the way you did is not kind or considerate, though I trust that was not your intention. |
@danielroe Can we get this updated with the error regarding css-what please. |
@pi0
|
I also see security issues for
While trim-newlines is not a dependency of nuxt, nuxt doesn't work with sass-loader > v10, which requires node-sass v5 (the dependency is updated in node-sass v6) Is it worth mentioning either/both of these at the top? |
Is there a more narrow expected time range for the Nuxt3 release? |
Sorry if it may be repetitive, but I'm also facing this security issue with |
@caioferrarezi Yes. |
should i use "scripts": { |
Please see veged/coa#99 and immediately use a resolution to prevent installing malicious code. |
@pi0 here is the output
|
Related to @iamarpitpatidar's comment. I am seeing
|
@XPAULUSX All of the dependencies you list are build-time and are not installed in your built app. This is a helpful summary of the situation. |
|
Thanks for your contribution to Nuxt!
Issues that are labeled as |
Bear with us, StaleBot, for this issue is pinned! Can someone add whatever label is due? |
are these vulnerabilities also not a problem when we need to be complient with PCI compliance standards? |
Is there any solution or workarounds to this?
Even security issues are not applying really - like in this case - having vulnerable packages in production builds will trigger a red flag for security checks for corporate requirements requiring security checks on their deployed apps. Any ideas or solutions on how to achieve that with Nuxt2? |
@fago You can use yarn or pnpm resolutions to force a given dependency version to be resolved/installed in your project. |
I see, thanks - we'll give that a try. |
New security issue: CWE-918 Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url.
|
The |
Oh right! Thank for your answer @danielroe. Is there is a simple way to check if vulnerability is used in production/dev mode (for future security issues)? |
@danielroe Hi, there are no security vulnerabilities in Nuxt 2.14.12 right? https://security.snyk.io/package/npm/nuxt/2.14.12 |
Looks like new things pops out:
|
Thanks for the heads up @kwolniak added nuxt-community/axios-module#609 to do |
@danielroe Feel free to close this old tracker btw if most of them updated in 2.x branch! |
While we are working on Nuxt 3 stable release, Nuxt 2 has to keep some dependencies in their older versions to avoid breaking changes. These include
webpack@4
,. (Update: You can now migrate to nuxt bridge: https://nuxt.com/docs/bridge/overview)postcss@7
andcore-js@2
As a result, some sub-dependencies are being obsolete, and eventually, some vulnerabilities are being discovered in them. This doesn't always mean Nuxt is vulnerable since most of them are applicable when untrusted user input is involved while these sub-dependencies in Nuxt are used in the build step and during development only.
You have to take care of these security issues immediately:
@nuxt/webpack > cssnano > cssnano-preset-default > postcss-svgo > svgo
@nuxt/utils > ua-parser-js
vue-router
vue-routeer>=3.5.3
This is an informative listing of current safe-to-ignore (false positive) vulnerabilities :
webpack >> set-value
webpack >> nth-check
These issues have been solved in the dependency tree. It is advised to renew the lock file (
package-lock.json
andyarn. lock
) to get the fixes.postcss@7
[email protected]
normalize-url@<4.5.1, <5.3.1, <6.0.1
css-what@<5.0.1
@nuxt/generator
is processing untrusted codenormalize-url<4.5.1, 5.3.1, 6.0.1
extract-css-chunks-webpack-plugin
is compiling untrusted css codeglob-parent<5.1.2
Notes:
The text was updated successfully, but these errors were encountered: