npm High severity vulnerability from webpack-dev-server #3223
Comments
|
For more details on the issue see: The issue is related to some changes required to be done in sockjs (see sockjs/sockjs-node#247) For a temporary workaround put this in your 'devServer' property in webpack.config.js (or your webpack config file)
|
|
See Already fixed. |
Yes, I noticed this earlier, but there seems to still be a bug occurring for some users of this package (see webpack/webpack-dev-server#1604) I have also checked my local package and it is 3.1.14, so maybe this is a problem with NPM's audit tool rather? |
OverviewVersions of webpack-dev-server before 3.1.6 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.RemediationUpdate to version 3.1.6 or later. |
|
@usercao I'm trying to follow what's going on here - can you tell me where you found those "Overview" and "Remediation" snippets? So far as I can see the latest release of webpack-dev-server is 3.1.14 (there's no 3.1.16 on npm right now): > npm view webpack-dev-server versions
[ '0.6.0',
'0.6.1',
'0.6.2',
#...
'3.1.0',
'3.1.1',
'3.1.2',
'3.1.3',
'3.1.4',
'3.1.5',
'3.1.6',
'3.1.7',
'3.1.8',
'3.1.9',
'3.1.10',
'3.1.11',
'3.1.12',
'3.1.13',
'3.1.14' ] |
|
@iainbeeston when I install @vue/[email protected],I saw the Remediation in this link https://www.npmjs.com/advisories/725,until the version of 3.1.14,this bug still persist,I don't know what happend. |
|
Thanks @usercao that's interesting... The same page also lists 3.1.14 as affected on the "Versions" tab, even though the advisory from npm audit says 3.1.14 is fixed.
|
Version
3.2.2
Environment info
Steps to reproduce
npm updateWhat is expected?
to run without problems
What is actually happening?
The text was updated successfully, but these errors were encountered: