yargs-parser vulnerability (@vue/cli-service > webpack-dev-server > yargs > yargs-parser) #5439
Description
Version
4.3.1
Environment info
Environment Info:
System:
OS: macOS 10.15.4
CPU: (8) x64 Intel(R) Core(TM) i7-7820HQ CPU @ 2.90GHz
Binaries:
Node: 10.16.2 - ~/.nvm/versions/node/v10.16.2/bin/node
Yarn: 1.21.1 - ~/.nvm/versions/node/v10.16.2/bin/yarn
npm: 6.9.0 - ~/.nvm/versions/node/v10.16.2/bin/npm
truncated (nginx errors with request uri to large)
Steps to reproduce
run yarn audit in any newly created or exiting vue-cli project
What is expected?
should not report any issues
What is actually happening?
reports:
yarn audit v1.21.1
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @vue/cli-service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @vue/cli-service > webpack-dev-server > yargs > yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1500 │
└───────────────┴──────────────────────────────────────────────────────────────┘
please upgrade webpack-dev-server as soon their issue got resolved webpack/webpack-dev-server#2559.
Meanwhile a workaround with yarn resolution works by adding:
"resolutions": {
"@vue/cli-service/**/yargs-parser": "^13.1.2"
},