vue-server-renderer security advisory

[zoellner]

Version

2.6.11

Reproduction link

https://codesandbox.io/s/naughty-shape-p1plw?fontsize=14&hidenavigation=1&theme=dark

Steps to reproduce

npm install vue-server-renderer 
npm audit

What is expected?

Audit passes

What is actually happening?

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Remote Code Execution                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ serialize-javascript                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ vue-server-renderer                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vue-server-renderer > serialize-javascript                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1548                            │

[posva]

#11434

Don't open automated issues

[zoellner]

ok. would have been helpful if there was an issue (not just a PR for this). was looking for it first.

[posva]

There are many... https://github.com/vuejs/vue/issues?q=is%3Aissue+serialize+is%3Aclosed
You even downvoted my comment at #11427

So you deliberately opened a duplicate issue. An issue or a PR have the same tracking and discussions abilities

[zoellner]

no, I looked again afterwards and discovered that there's a few closed ones. looks like you keep closing all related issues. so no wonder people keep opening them.
It's about discoverability, not discussion ability

[posva]

So you didn't look at first like you said? I took the time to link the issues each time.
re discoverability: Searching for serialize-javascript in issues gives you the results 🙂