vuepress
vuepress copied to clipboard
Published
20 hours ago •
vuejs
vuejs
Security vulnerability with VuePress 1.8.2
- [x] I confirm that this is an issue rather than a question.
Bug report
Steps to reproduce
$ npx create-vuepress-site
$ cd docs
$ npm install
...
found 12 vulnerabilities (7 moderate, 5 high)
run `npm audit fix` to fix them, or `npm audit` for details
$ npm audit
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Inefficient Regular Expression Complexity in │
│ │ chalk/ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=5.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ vuepress [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ vuepress > @vuepress/core > webpackbar > wrap-ansi > │
│ │ string-width > strip-ansi > ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ vuepress > @vuepress/core > webpack-dev-server > yargs > │
│ │ cliui > string-width > strip-ansi > ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ vuepress > @vuepress/core > webpack-dev-server > yargs > │
│ │ cliui > wrap-ansi > string-width > strip-ansi > ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ vuepress > @vuepress/core > webpack-dev-server > yargs > │
│ │ cliui > strip-ansi > ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ vuepress > @vuepress/core > webpackbar > wrap-ansi > │
│ │ strip-ansi > ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ vuepress > @vuepress/core > webpack-dev-server > yargs > │
│ │ cliui > wrap-ansi > strip-ansi > ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-93q8-gq69-wqmw │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Inefficient Regular Expression Complexity in nth-check │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ nth-check │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ vuepress [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ vuepress > @vuepress/core > │
│ │ optimize-css-assets-webpack-plugin > cssnano > │
│ │ cssnano-preset-default > postcss-svgo > svgo > css-select > │
│ │ nth-check │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-rp65-9cf3-cjxr │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular expression denial of service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ glob-parent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=5.1.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ vuepress [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ vuepress > @vuepress/core > chokidar > glob-parent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ vuepress > @vuepress/core > webpack-dev-server > chokidar > │
│ │ glob-parent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ vuepress > @vuepress/core > @vuepress/shared-utils > globby │
│ │ > fast-glob > glob-parent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ vuepress > @vuepress/core > @vuepress/markdown > │
│ │ @vuepress/shared-utils > globby > fast-glob > glob-parent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ vuepress > @vuepress/core > @vuepress/markdown-loader > │
│ │ @vuepress/markdown > @vuepress/shared-utils > globby > │
│ │ fast-glob > glob-parent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-ww39-953v-wcq6 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 12 vulnerabilities (7 moderate, 5 high) in 1232 scanned packages
12 vulnerabilities require manual review. See the full report for details.
What is expected?
Zero security vulnerability
What is actually happening?
Twelve security vulnerability
Other relevant information
- Output of
npx vuepress infoin my VuePress project:
Environment Info:
System:
OS: Linux 5.4 Ubuntu 18.04.6 LTS (Bionic Beaver)
CPU: (8) x64 Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz
Binaries:
Node: 14.16.0 - ~/.nvm/versions/node/v14.16.0/bin/node
Yarn: 1.22.5 - /usr/bin/yarn
npm: 6.14.11 - ~/.nvm/versions/node/v14.16.0/bin/npm
Browsers:
Chrome: 95.0.4638.69
Firefox: 94.0
npmPackages:
@vuepress/core: 1.8.2
@vuepress/theme-default: 1.8.2
vuepress: ^1.5.3 => 1.8.2
npmGlobalPackages:
vuepress: Not Found
If have deep dived into the modules
- Regarding chalk
[email protected] /home/.../VuePress/docs
└─┬ [email protected]
├─┬ @vuepress/[email protected]
│ ├─┬ [email protected]
│ │ └─┬ [email protected]
│ │ └─┬ [email protected]
│ │ └── [email protected] deduped
│ ├─┬ [email protected]
│ │ ├─┬ [email protected]
│ │ │ └── [email protected]
│ │ └─┬ [email protected]
│ │ ├─┬ [email protected]
│ │ │ └─┬ [email protected]
│ │ │ └── [email protected]
│ │ └─┬ [email protected]
│ │ └─┬ [email protected]
│ │ └── [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └── [email protected]
└─┬ [email protected]
└─┬ [email protected]
├─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └── [email protected]
├─┬ [email protected]
│ └─┬ [email protected]
│ └── [email protected]
└─┬ [email protected]
└─┬ [email protected]
└─┬ [email protected]
└── [email protected]
Newest Version of chalk is 4.1.2, and has no dependency to has-ansi since at least 2.0.0
All other vulnerabilities should be fix with newer versions of webpack-dev-server and webpackbar.
All the libs denpending on ansi-regex are using a newer versions.
- Regarding glob-parent
[email protected] /home/.../VuePress/docs
└─┬ [email protected]
└─┬ @vuepress/[email protected]
├─┬ @vuepress/[email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └── [email protected] deduped
├─┬ [email protected]
│ └── [email protected]
├─┬ [email protected]
│ └── [email protected] deduped
└─┬ [email protected]
└─┬ [email protected]
└─┬ [email protected]
└── [email protected]
Updating globby,chokidar,copy-webpack-plugin should fix it, libs denpending on glob-parent are using a newer versions.
With node v16.13.0 it's even worse:
$ npm install
npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated [email protected]: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated [email protected]: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated [email protected]: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated [email protected]: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated [email protected]: This SVGO version is no longer supported. Upgrade to v2.x.x.
added 1248 packages, and audited 1249 packages in 27s
80 packages are looking for funding
run `npm fund` for details
30 vulnerabilities (14 moderate, 16 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
$ npm audit
# npm audit report
ansi-regex >2.1.1 <5.0.1
Severity: moderate
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/cliui/node_modules/ansi-regex
node_modules/wrap-ansi/node_modules/ansi-regex
node_modules/yargs/node_modules/ansi-regex
strip-ansi 4.0.0 - 5.2.0
Depends on vulnerable versions of ansi-regex
node_modules/cliui/node_modules/strip-ansi
node_modules/wrap-ansi/node_modules/strip-ansi
node_modules/yargs/node_modules/strip-ansi
cliui 4.0.0 - 5.0.0
Depends on vulnerable versions of strip-ansi
Depends on vulnerable versions of wrap-ansi
node_modules/cliui
yargs 10.1.0 - 15.0.0
Depends on vulnerable versions of cliui
Depends on vulnerable versions of string-width
node_modules/yargs
webpack-dev-server 2.0.0-beta - 3.11.3
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of yargs
node_modules/webpack-dev-server
string-width 2.1.0 - 4.1.0
Depends on vulnerable versions of strip-ansi
node_modules/cliui/node_modules/string-width
node_modules/wrap-ansi/node_modules/string-width
node_modules/yargs/node_modules/string-width
wrap-ansi 3.0.0 - 6.1.0
Depends on vulnerable versions of string-width
Depends on vulnerable versions of strip-ansi
node_modules/wrap-ansi
webpackbar 3.0.0-0 - 3.2.0
Depends on vulnerable versions of wrap-ansi
node_modules/webpackbar
glob-parent <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/chokidar
@vuepress/core <=1.8.2
Depends on vulnerable versions of chokidar
node_modules/@vuepress/core
vuepress 1.0.0-alpha.0 - 1.8.2
Depends on vulnerable versions of @vuepress/core
node_modules/vuepress
watchpack-chokidar2 *
Depends on vulnerable versions of chokidar
node_modules/watchpack-chokidar2
watchpack 1.7.2 - 1.7.5
Depends on vulnerable versions of watchpack-chokidar2
node_modules/watchpack
webpack 4.44.0 - 4.46.0
Depends on vulnerable versions of watchpack
node_modules/webpack
webpack-dev-server 2.0.0-beta - 3.11.3
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of yargs
node_modules/webpack-dev-server
copy-webpack-plugin 5.0.1 - 5.1.2
Depends on vulnerable versions of glob-parent
node_modules/copy-webpack-plugin
fast-glob <=2.2.7
Depends on vulnerable versions of glob-parent
node_modules/fast-glob
globby 8.0.0 - 9.2.0
Depends on vulnerable versions of fast-glob
node_modules/globby
@vuepress/shared-utils *
Depends on vulnerable versions of globby
node_modules/@vuepress/shared-utils
@vuepress/markdown <=1.8.2
Depends on vulnerable versions of @vuepress/shared-utils
node_modules/@vuepress/markdown
@vuepress/markdown-loader *
Depends on vulnerable versions of @vuepress/markdown
node_modules/@vuepress/markdown-loader
@vuepress/plugin-register-components <=1.8.2
Depends on vulnerable versions of @vuepress/shared-utils
node_modules/@vuepress/plugin-register-components
vuepress-plugin-container >=2.1.5
Depends on vulnerable versions of @vuepress/shared-utils
node_modules/vuepress-plugin-container
nth-check <2.0.1
Severity: moderate
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix`
node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/svgo
postcss-svgo 4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
Depends on vulnerable versions of svgo
node_modules/postcss-svgo
cssnano-preset-default <=4.0.8
Depends on vulnerable versions of postcss-svgo
node_modules/cssnano-preset-default
cssnano 4.0.0-nightly.2020.1.9 - 4.1.11
Depends on vulnerable versions of cssnano-preset-default
node_modules/cssnano
optimize-css-assets-webpack-plugin 3.2.1 || 5.0.0 - 5.0.8
Depends on vulnerable versions of cssnano
node_modules/optimize-css-assets-webpack-plugin
30 vulnerabilities (14 moderate, 16 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Unfortunately npm audit fix wont fix anything because of an open issue @npm/cli
I needed to dig deep to get the information that i wanted so here is what i found: There is already a open Pull request https://github.com/vuejs/vuepress/pull/2690 since 2020 But they are all updated in the next major release https://github.com/vuepress/vuepress-next
Just FYI this repo is deprecated and will continue to accrue security and dependency deprecation issues.
From the readme:
VuePress is now in maintenance mode. For a next-gen Vue-based SSG built on top of Vue 3 + Vite, check out VitePress.
It is frustrating that a google for vuepress goes to vuepress 1.x and there is no clear mention you are on a deprecated project. Almost like putting the gun in your hand, pointing it at your foot and saying "you should be more careful!"
This is "vuepress-next": https://v2.vuepress.vuejs.org/
