npm High severity vulnerability from webpack-dev-server

[Sceat]

Version

3.2.2

Environment info

Unknown command info. ¯\_(ツ)_/¯

Steps to reproduce

npm update

What is expected?

to run without problems

What is actually happening?

[danzlarkin]

For more details on the issue see:
webpack/webpack-dev-server#1604
webpack/webpack-dev-server#1615

The issue is related to some changes required to be done in sockjs (see sockjs/sockjs-node#247)

For a temporary workaround put this in your 'devServer' property in webpack.config.js (or your webpack config file)

disableHostCheck: true

[haoqunjiang]

See

vue-cli/packages/@vue/cli-service/package.json

Line 71 in 0fc972e

"webpack-dev-server": "^3.1.14",

Already fixed.

[danzlarkin]

See

vue-cli/packages/@vue/cli-service/package.json

Line 71 in 0fc972e

"webpack-dev-server": "^3.1.14",
Already fixed.

Yes, I noticed this earlier, but there seems to still be a bug occurring for some users of this package (see webpack/webpack-dev-server#1604)

I have also checked my local package and it is 3.1.14, so maybe this is a problem with NPM's audit tool rather?

[usercao]

vue-cli/packages/@vue/cli-service/package.json

Overview

Versions of webpack-dev-server before 3.1.6 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.

Remediation

Update to version 3.1.6 or later.

[iainbeeston]

@usercao I'm trying to follow what's going on here - can you tell me where you found those "Overview" and "Remediation" snippets? So far as I can see the latest release of webpack-dev-server is 3.1.14 (there's no 3.1.16 on npm right now):

> npm view webpack-dev-server versions
 
[ '0.6.0',
  '0.6.1',
  '0.6.2',
  #...
  '3.1.0',
  '3.1.1',
  '3.1.2',
  '3.1.3',
  '3.1.4',
  '3.1.5',
  '3.1.6',
  '3.1.7',
  '3.1.8',
  '3.1.9',
  '3.1.10',
  '3.1.11',
  '3.1.12',
  '3.1.13',
  '3.1.14' ]

[usercao]

@iainbeeston when I install @vue/cli@3.2.2,I saw the Remediation in this link https://www.npmjs.com/advisories/725,until the version of 3.1.14,this bug still persist,I don't know what happend.

[iainbeeston]

Thanks @usercao that's interesting... The same page also lists 3.1.14 as affected on the "Versions" tab, even though the advisory from npm audit says 3.1.14 is fixed.