Open
Description
Version
5.0.0-beta.0
Reproduction link
https://github.com/dpash/vue-cli-watch-bug
Environment info
Environment Info:
System:
OS: Linux 5.11 Ubuntu 21.04 (Hirsute Hippo)
CPU: (4) x64 AMD Ryzen 3 2200G with Radeon Vega Graphics
Binaries:
Node: 16.1.0 - /usr/bin/node
Yarn: Not Found
npm: 7.11.2 - /usr/bin/npm
Browsers:
Chrome: 90.0.4430.212
Firefox: 88.0.1
npmPackages:
@vue/cli: ^5.0.0-beta.1 => 5.0.0-beta.1
@vue/cli-shared-utils: 5.0.0-beta.1
@vue/cli-ui: 5.0.0-beta.1
@vue/cli-ui-addon-webpack: 5.0.0-beta.1
@vue/cli-ui-addon-widgets: 5.0.0-beta.1
@vue/compiler-core: 3.0.11
@vue/compiler-dom: 3.0.11
@vue/shared: 3.0.11
typescript: 4.1.5
vue: 2.6.12
vue-codemod: 0.0.5
npmGlobalPackages:
@vue/cli: Not Found
Steps to reproduce
Install @vue/cli, run npm audit
Check out the 5.0.0-beta.1 branch for the result with that version
What is expected?
No errors
What is actually happening?
merge <2.1.1
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1666
No fix available
node_modules/merge
exec-sh <=0.3.1
Depends on vulnerable versions of merge
node_modules/exec-sh
watch >=0.14.0
Depends on vulnerable versions of exec-sh
node_modules/watch
@vue/cli-ui *
Depends on vulnerable versions of watch
node_modules/@vue/cli-ui
@vue/cli *
Depends on vulnerable versions of @vue/cli-ui
node_modules/@vue/cli
Merge has a security issue.
exec-sh has removed the dependency on merge since 17 Oct 2018 (version 0.3.2). tsertkov/exec-sh@933cc02
Watch depends on exec-sh 0.2.0 and watch hasn't had any commits or releases in 4 years, There is even an open PR to upgrade watch to use a more recent version of exec-sh, but hasn't been looked at for three years. mikeal/watch#143
According to mikeal/watch#149 https://www.npmjs.com/package/chokidar is a suitable replacement.