Vulnerability in "node-forge" transitive dependency of "webpack-dev-server" in "@vue/cli-service": Prototype Pollution #5919
Description
Version
4.5.6
Environment info
Environment Info:
System:
OS: Windows 10 10.0.19041
CPU: (8) x64 Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz
Binaries:
Node: 12.18.3 - C:\Program Files\nodejs\node.EXE
Yarn: 1.22.5 - C:\Program Files (x86)\Yarn\bin\yarn.CMD
npm: 6.14.8 - C:\Program Files\nodejs\npm.CMD
Browsers:
Chrome: 85.0.4183.121
Edge: Spartan (44.19041.423.0), Chromium (85.0.564.63), ChromiumDev (87.0.654.0)
npmPackages:
@ant-design-vue/babel-helper-vue-transform-on: 1.0.1
@types/vue2-editor: ^2.6.0 => 2.6.0
@vue/babel-helper-vue-jsx-merge-props: 1.0.0
@vue/babel-plugin-transform-vue-jsx: 1.1.2
@vue/babel-preset-app: ^4.1.1 => 4.5.4
@vue/babel-preset-jsx: 1.1.2
@vue/babel-sugar-functional-vue: 1.1.2
@vue/babel-sugar-inject-h: 1.1.2
@vue/babel-sugar-v-model: 1.1.2
@vue/babel-sugar-v-on: 1.1.2
@vue/cli-overlay: 4.5.6
@vue/cli-plugin-babel: ^4.1.1 => 4.5.4
@vue/cli-plugin-eslint: ^4.1.0 => 4.5.4
@vue/cli-plugin-router: 4.5.6
@vue/cli-plugin-typescript: ^4.1.1 => 4.5.4
@vue/cli-plugin-unit-mocha: ^4.1.1 => 4.5.4
@vue/cli-plugin-vuex: 4.5.6
@vue/cli-service: 4.5.6 => 4.5.6
@vue/cli-shared-utils: 4.5.4 (4.5.6)
@vue/component-compiler-utils: 3.2.0
@vue/composition-api: ^1.0.0-beta.3 => 1.0.0-beta.3
@vue/eslint-config-airbnb: ^4.0.0 => 4.0.1
@vue/eslint-config-typescript: ^4.0.0 => 4.0.0
@vue/preload-webpack-plugin: 1.1.2
@vue/test-utils: 1.0.0-beta.29 => 1.0.0-beta.29
@vue/web-component-wrapper: 1.2.0
ag-grid-vue: ^21.2.2 => 21.2.2
eslint-plugin-vue: ^6.1.2 => 6.1.2
typescript: ^3.4.2 => 3.5.3
vue: ^2.6.10 => 2.6.10 (2.6.11)
vue-class-component: ^6.3.2 => 6.3.2
vue-d2b: ^1.0.15 => 1.0.15
vue-directive-tooltip: ^1.6.3 => 1.6.3
vue-eslint-parser: 7.0.0
vue-hot-reload-api: 2.3.4
vue-i18n: ^8.10.0 => 8.12.0
vue-json-pretty: ^1.6.2 => 1.6.2
vue-loader: 15.9.3 (16.0.0-beta.8)
vue-moment: ^4.0.0 => 4.1.0
vue-property-decorator: ^7.3.0 => 7.3.0
vue-resize-directive: ^1.2.0 => 1.2.0
vue-router: ^3.0.3 => 3.0.7
vue-style-loader: 4.1.2
vue-template-compiler: ^2.6.10 => 2.6.10
vue-template-es2015-compiler: 1.9.1
vue2-ace-editor: 0.0.11 => 0.0.11
vue2-editor: ^2.10.2 => 2.10.2
vuex: ^3.1.0 => 3.1.1
vuex-class: ^0.3.2 => 0.3.2
npmGlobalPackages:
@vue/cli: Not Found
Steps to reproduce
Install latest version of @vue/cli-service and try to run yarn audit or npm audit and see that the following advisory is shown (in this case yarn):
❯ yarn audit
yarn audit v1.22.5
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Prototype Pollution in node-forge │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ node-forge │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >= 0.10.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @vue/cli-service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @vue/cli-service > webpack-dev-server > selfsigned > │
│ │ node-forge │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1561 │
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 1932
Severity: 1 High
Done in 3.27s.
What is expected?
Yarn audit or npm audit should return no vulnerabilities.
What is actually happening?
Yarn audit or npm audit should return one high vulnerability.
Since it is the latest version and the vulnerability is highlighted as high, it would need to be fixed (upgrading node-forge).
Related NPM advisory: https://www.npmjs.com/advisories/1561