Security: found 6 vulnerabilities (1 low, 4 high, 1 critical) in 37738 scanned packages

[peterennis]

Version

3.2.3

Reproduction link

https://github.com/peterennis/aeicons-vue

Environment info

C:\ae\adaept.com\aeicons-vue>vue info

Environment Info:

  System:
    OS: Windows 10
    CPU: (4) x64 Intel(R) Core(TM) i7-3540M CPU @ 3.00GHz
  Binaries:
    Node: 10.14.2 - C:\Program Files\nodejs\node.EXE
    Yarn: Not Found
    npm: 6.4.1 - C:\Program Files\nodejs\npm.CMD
  Browsers:
    Edge: 44.17763.1.0
  npmPackages:
    @vue/cli-overlay:  3.2.0
    @vue/cli-plugin-e2e-nightwatch: ^3.2.0 => 3.2.2
    @vue/cli-plugin-eslint: ^3.2.0 => 3.2.2
    @vue/cli-plugin-pwa: ^3.2.0 => 3.2.2
    @vue/cli-plugin-typescript: ^3.2.0 => 3.2.2
    @vue/cli-plugin-unit-jest: ^3.2.0 => 3.2.3
    @vue/cli-service: ^3.2.0 => 3.2.3
    @vue/cli-shared-utils:  3.2.2
    @vue/component-compiler-utils:  2.4.0
    @vue/eslint-config-prettier: ^4.0.1 => 4.0.1
    @vue/eslint-config-typescript: ^3.2.0 => 3.2.0
    @vue/preload-webpack-plugin:  1.1.0
    @vue/test-utils: ^1.0.0-beta.20 => 1.0.0-beta.28
    @vue/web-component-wrapper:  1.2.0
    eslint-plugin-vue: ^5.0.0 => 5.1.0
    jest-serializer-vue:  2.0.2
    vue: ^2.5.21 => 2.5.21
    vue-class-component: ^6.0.0 => 6.3.2
    vue-eslint-parser:  2.0.3
    vue-hot-reload-api:  2.3.1
    vue-jest:  3.0.2
    vue-loader:  15.5.0
    vue-property-decorator: ^7.0.0 => 7.2.0
    vue-style-loader:  4.1.2
    vue-template-compiler: ^2.5.21 => 2.5.21
    vue-template-es2015-compiler:  1.6.0
  npmGlobalPackages:
    @vue/cli: Not Found


C:\ae\adaept.com\aeicons-vue>

Steps to reproduce

Create project with the relevant selections

What is expected?

No security errors

What is actually happening?

npm audit shows security errors
npm audit fix cannot fix

---

C:\ae\adaept.com\aeicons-vue>npm audit

                   === npm audit security report ===


                             Manual Review
         Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance

Critical Command Injection

Package growl

Patched in >=1.10.2

Dependency of @vue/cli-plugin-e2e-nightwatch [dev]

Path @vue/cli-plugin-e2e-nightwatch > nightwatch >
mocha-nightwatch > growl

More info https://nodesecurity.io/advisories/146

High Denial of Service

Package http-proxy-agent

Patched in >=2.1.0

Dependency of @vue/cli-plugin-e2e-nightwatch [dev]

Path @vue/cli-plugin-e2e-nightwatch > nightwatch > proxy-agent >
http-proxy-agent

More info https://nodesecurity.io/advisories/607

High Denial of Service

Package http-proxy-agent

Patched in >=2.1.0

Dependency of @vue/cli-plugin-e2e-nightwatch [dev]

Path @vue/cli-plugin-e2e-nightwatch > nightwatch > proxy-agent >
pac-proxy-agent > http-proxy-agent

More info https://nodesecurity.io/advisories/607

High Denial of Service

Package https-proxy-agent

Patched in >=2.2.0

Dependency of @vue/cli-plugin-e2e-nightwatch [dev]

Path @vue/cli-plugin-e2e-nightwatch > nightwatch > proxy-agent >
https-proxy-agent

More info https://nodesecurity.io/advisories/593

High Denial of Service

Package https-proxy-agent

Patched in >=2.2.0

Dependency of @vue/cli-plugin-e2e-nightwatch [dev]

Path @vue/cli-plugin-e2e-nightwatch > nightwatch > proxy-agent >
pac-proxy-agent > https-proxy-agent

More info https://nodesecurity.io/advisories/593

Low Regular Expression Denial of Service

Package debug

Patched in >= 2.6.9 < 3.0.0 || >= 3.1.0

Dependency of @vue/cli-plugin-e2e-nightwatch [dev]

Path @vue/cli-plugin-e2e-nightwatch > nightwatch >
mocha-nightwatch > debug

More info https://nodesecurity.io/advisories/534

found 6 vulnerabilities (1 low, 4 high, 1 critical) in 37738 scanned packages
6 vulnerabilities require manual review. See the full report for details.

C:\ae\adaept.com\aeicons-vue>

[LinusBorg]

all of those are dependencies of nightwatch, you should likely open reports there.

[beatfactor]

@LinusBorg vue-cli is using nightwatch v0.9 and we have recently released v1.0 into the main npm channel. Anything we can do to help with the upgrade? Let us know if there are specific issues blocking it, thanks.

[LinusBorg]

@beatfactor hey, thanks for getting in touch. I'm not personally familiar with the status of the nightwatch plugin, but we are certainly interested in moving to 1.0 if that's available now. I honestly missed that. 😅

/cc @sodatea can you chime in!

[haoqunjiang]

Yes we're definitely intereted in upgrading, but I haven't got the time to have a close look at the 1.0 changelog, so I'm not sure if it will be a breaking change for us…
If not, we'll certainly do it. Otherwise, we might have to delay it to v4 (which is pending webpack v5 release)

Sidenote: it seems these vulnerablilities are for server side projects only and should not affect local tests.

[cedon]

Just initialized a new project with vue-cli v3.3.0 and NPM reports 22 vulnerabilities now. 11 Low, 1 Moderate, 8 High, 2 Critical.

I've included a dump from npm audit but the text has a lot of extra garbage in it.

npm-audit.txt

[darrenjennings]

Related: #3388

[haoqunjiang]

Landed in v4.0.0-alpha.0