Dependency Bot warning about vulnerable dependencies: `ssri` and `is-svg`

[mister-teddy]

Version

4.5.9

Reproduction link

https://github.com/upstage-org/mobilise

Environment info

Environment Info:

  System:
    OS: macOS 11.2.1
    CPU: (8) x64 Intel(R) Core(TM) i5-1030NG7 CPU @ 1.10GHz
  Binaries:
    Node: 15.6.0 - /usr/local/bin/node
    Yarn: 1.22.10 - /usr/local/bin/yarn
    npm: 7.4.0 - /usr/local/bin/npm
  Browsers:
    Chrome: 89.0.4389.90
    Edge: Not Found
    Firefox: 86.0.1
    Safari: 14.0.3
  npmPackages:
    @vue/babel-helper-vue-jsx-merge-props:  1.2.1 
    @vue/babel-helper-vue-transform-on:  1.0.0-rc.2 
    @vue/babel-plugin-jsx:  1.0.0-rc.5 
    @vue/babel-plugin-transform-vue-jsx:  1.2.1 
    @vue/babel-preset-app:  4.5.9 
    @vue/babel-preset-jsx:  1.2.4 
    @vue/babel-sugar-composition-api-inject-h:  1.2.1 
    @vue/babel-sugar-composition-api-render-instance:  1.2.4 
    @vue/babel-sugar-functional-vue:  1.2.2 
    @vue/babel-sugar-inject-h:  1.2.2 
    @vue/babel-sugar-v-model:  1.2.3 
    @vue/babel-sugar-v-on:  1.2.3 
    @vue/cli-overlay:  4.5.9 
    @vue/cli-plugin-babel: ~4.5.0 => 4.5.9 
    @vue/cli-plugin-eslint: ~4.5.0 => 4.5.9 
    @vue/cli-plugin-pwa: ~4.5.0 => 4.5.10 
    @vue/cli-plugin-router: ~4.5.0 => 4.5.9 
    @vue/cli-plugin-vuex: ~4.5.0 => 4.5.9 
    @vue/cli-service: ~4.5.0 => 4.5.9 
    @vue/cli-shared-utils:  4.5.9 (4.5.10)
    @vue/compiler-core:  3.0.4 (3.0.7)
    @vue/compiler-dom:  3.0.4 (3.0.7)
    @vue/compiler-sfc: ^3.0.0 => 3.0.4 
    @vue/compiler-ssr:  3.0.4 
    @vue/component-compiler-utils:  3.2.0 
    @vue/preload-webpack-plugin:  1.1.2 
    @vue/reactivity:  3.0.7 
    @vue/runtime-core:  3.0.7 
    @vue/runtime-dom:  3.0.7 
    @vue/shared:  3.0.7 (3.0.4)
    @vue/web-component-wrapper:  1.2.0 
    eslint-plugin-vue: ^7.7.0 => 7.7.0 
    vue: ^3.0.7 => 3.0.7 
    vue-eslint-parser:  7.6.0 
    vue-hot-reload-api:  2.3.4 
    vue-loader:  15.9.6 (16.1.2)
    vue-router: ^4.0.0-0 => 4.0.1 
    vue-style-loader:  4.1.2 
    vue-template-es2015-compiler:  1.9.1 
    vue3-draggable-resizable: ^1.6.0 => 1.6.0 
    vuex: ^4.0.0-0 => 4.0.0-rc.2 
    vuex-persistedstate: ^4.0.0-beta.1 => 4.0.0-beta.1 
  npmGlobalPackages:
    @vue/cli: Not Found

Steps to reproduce

There is no step at all, everything was fine until Github dependency bot discover these vulnerable a few days ago, see attachment below:

What is expected?

No warning from Github's dependency bot

What is actually happening?

Dependency bot is warning about vulnerable inside these indirect dependency: ssri and is-svg

---

ssri and is-svg is not our direct dependency, after inspecting the yarn.lock we discover that it was peer dependency of @vue/cli-service

[haoqunjiang]

• ssri: transitive dependency from webpack 4, requires a cacache v12 patch, see: High severity vulnerability detected in dependencies npm/cacache#42 (comment)
• is-svg: transitive dependency from cssnano 4, requires a postcss-svgo patch, see chore(deps): bump is-svg from 4.2.1 to 4.2.2 in /packages/postcss-svgo cssnano/cssnano#1023 (comment)

Update:
The is-svg dependency does not expose the projects to any real threats, and it is not likely to be updated any time soon. See cssnano/cssnano#1019 (comment)

[mister-teddy]

Hello everyone, thank you for the great works!

What is the current status of this issue? It's now considered high severity by Dependency Bot

[haoqunjiang]

As said earlier, they are upstream issues, there's nothing we can do here.
Besides, they do not expose the users of Vue CLI to any real threats, it's safe to ignore them.

They're considered vulnerabilities because if you use these package versions in your Node.js web server, and process user inputs with them, your server might get compromised.

But that's not the use case of Vue CLI, which is a developer tool.

[mister-teddy]

Thank you for the helpful information @sodatea 👍 We've turned off the vulnerable warning alerts for now

[bobvandevijver]

@sodatea The @vue/cli-service package directly depends on version 7 of ssri. For version 5 (which is currently in beta) it was bumped to version 8, per 473eab2.

It looks like the update did not have that much impact, so maybe it can be backported to version 4 of the cli-service?