nuxt
nuxt copied to clipboard
Security advisories
While we are working on Nuxt 3 stable release, Nuxt 2 has to keep some dependencies in their older versions to avoid breaking changes. These include webpack@4
, ~~postcss@7
and core-js@2
~~. (Update: You can now migrate to nuxt bridge: https://v3.nuxtjs.org/getting-started/bridge)
As a result, some sub-dependencies are being obsolete, and eventually, some vulnerabilities are being discovered in them. This doesn't always mean Nuxt is vulnerable since most of them are applicable when untrusted user input is involved while these sub-dependencies in Nuxt are used in the build step and during development only.
You have to take care of these security issues immediately:
ID | Related Package | Status | Description |
---|---|---|---|
GitHub issue | @nuxt/webpack > cssnano > cssnano-preset-default > postcss-svgo > svgo |
⚠️ Urgent | Use resolution to prevent installing malicious version |
GHSA-pjwm-rvh2-c87w | @nuxt/utils > ua-parser-js |
⚠️ Attention | Update lock file and local cache |
vuejs/vue-router#3652 | vue-router |
⚠️ Minor | Update the lockfile to use vue-routeer>=3.5.3 |
This is an informative listing of current safe-to-ignore (false positive) vulnerabilities :
ID | Related Package | Status |
---|---|---|
GHSA-4jqc-8m5r-9rpr | webpack >> set-value |
🔰 Not affecting |
GHSA-rp65-9cf3-cjxr | webpack >> nth-check |
🔰 Not affecting |
These issues have been solved in the dependency tree. It is advised to renew the lock file (package-lock.json
and yarn. lock
) to get the fixes.
ID | Related Package | Status | Description |
---|---|---|---|
SNYK-JS-UAPARSERJS-1766952 | |||
2021-23368 | postcss@7 |
✅ Fixed | Is only vulnerable for online tools like codepen that directly compile user css (patch notes) |
2021-27290 | [email protected] |
✅ Fixed | Is only vulnerable to DoS attack if webpack is compiling untrusted code |
2021-33502 | normalize-url@<4.5.1, <5.3.1, <6.0.1 |
✅ Fixed | Is only vulnerable to DoS attack if webpack is compiling untrusted code |
2021-33587 | css-what@<5.0.1 |
✅ Fixed | Is only vulnerable to DoS attack if @nuxt/generator is processing untrusted code |
2021-33502 | normalize-url<4.5.1, 5.3.1, 6.0.1 |
✅ Fixed | Is only vulnerable to DoS attack if extract-css-chunks-webpack-plugin is compiling untrusted css code |
2020-28469 | glob-parent<5.1.2 |
✅ Fixed | Is only vulnerable to DoS attack when in an untrusted development environment |
Notes:
- If you are directly using the above dependencies in production or in a solution other than nuxt, they should be considered
- We regularly update lock-file and check advisories using automated GithubActions
- If you found a security issue nuxt sub-dependency which is not mentioned above, please let us know via security [at] nuxtjs.org
- Generally, you should consider security advisories unless mentioned here as safe, if used in a build-only step or you are sure about its safety
I understand that for most projects these are false positives, but all those false positives are still causing a lot of vulnerability warnings (currently the 145 shown below) that we need to weed through in an attempt to identify if there are any actual security issues.
There's got to be a better way to handle this.
@danielroe - I know how to add expandable details to github issues (it's a pretty great feature), so if I had wanted my last three comments to have the vulnerability warnings collapsed I would have done so. Normally, with that much text to wade through, I would absolutely have made them expandable.
Which brings us to why I didn't collapse them when I made my previous responses and why I've reverted your edits to collapse them.
100% of my last three comments are about the problems that simply having these vulnerability warnings in our audits —vulnerability warnings which we cannot collapse in our audits— can cause, even if these warning are just false positives. The problem my comments are addressing are precisely because there are so many warnings to wade through.
While, for many NuxtJS projects, the intent of the warnings are moot (because they're false positives), because this transitive dependency is used so extensively throughout NuxtJS, the decision to not identify a fix that will actually resolve the resulting warnings is itself overwhelmingly problematic.
Thus, I very intentionally gathered, formatted, and included, in an equally intentionally, uncollapsed format, that overwhelming list of vulnerability warnings so as to highlight just how overwhelmingly problematic the list of vulnerability warnings is.
[edited to add] If a plan is identified which will result in these warnings being removed from our audit outputs, then I'll be very happy (ecstatic even) to collapse the warnings listed in the previous 3 comments!
@metasean I understand you're frustrated. This is something we all experience at the moment when running npm audit
so you're not alone. However, its output is not within the control of Nuxt, and in fact there are tools to address the issues you are reporting, such as better-npm-audit. Specifying package dependencies explicitly is best practice - and, in fact, required for pnp support. (You might also consider using https://github.com/nuxt/postcss8 + a yarn resolution to ensure that only PostCSS 8 will be installed.)
As it happens, we do plan to upgrade Nuxt to PostCSS 8 as soon as practicable, though as it is a breaking change it needs to be done carefully and with forethought. You can follow https://github.com/nuxt/nuxt.js/issues/8087 for updates.
Finally, I've minimised your comments again to ensure this issue remains readable and useful for others. Making your point in the way you did is not kind or considerate, though I trust that was not your intention.
@danielroe Can we get this updated with the error regarding css-what please.
https://github.com/nuxt/nuxt.js/issues/9404
@pi0 Regarding the security issue, is the change included in version 2.15.7? I can't find the change(release note) in the code. 🙇 https://github.com/nuxt/nuxt.js/releases/tag/v2.15.7
Security advisory
Please upgrade to nuxt@^2.15.7 if using [email protected] or [email protected]
@yu1222 Yes, it is in 2.5.7. It is related to #9431.
I also see security issues for
- glob-parent (moderate: https://www.npmjs.com/advisories/1751) nuxt > @nuxt/webpack > webpack > watchpack > watchpack-chokidar2 > chokidar > glob-parent
- trim-newlines (high https://www.npmjs.com/advisories/1753) node-sass > meow > trim-newlines
While trim-newlines is not a dependency of nuxt, nuxt doesn't work with sass-loader > v10, which requires node-sass v5 (the dependency is updated in node-sass v6)
Is it worth mentioning either/both of these at the top?
Is there a more narrow expected time range for the Nuxt3 release?
Sorry if it may be repetitive, but I'm also facing this security issue with glob-parent
as mentioned above. Is it safe to ignore the package as it is with the listed ones?
@caioferrarezi Yes.
should i use "scripts": { "preinstall": "npx npm-force-resolutions" } in package and also "resolutions": { "dependencies": version } befor run npm i?
Please see https://github.com/veged/coa/issues/99 and immediately use a resolution to prevent installing malicious code.
@pi0 glob-parent
hasn't been fixed please edit the above comment.
@nuxt/[email protected]
still uses [email protected]
here is the output npm list glob-parent
+-- @nuxt/[email protected]
| `-- [email protected]
| `-- [email protected]
| `-- [email protected]
| `-- [email protected]
| `-- [email protected]
| `-- [email protected]
Related to @iamarpitpatidar's comment. I am seeing [email protected]
in @nuxt/[email protected]
. Expecting glob-parent >= 5.1.2
npm ls glob-parent
├─┬ [email protected]
│ ├─┬ @nuxt/[email protected]
│ │ └─┬ [email protected]
│ │ └─┬ [email protected]
│ │ └── [email protected] deduped
│ └─┬ @nuxt/[email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └── [email protected]
...
Hello, i'm seeing vulnerabilities with the following packages which are dependencies of [email protected], these are shown through our Snyk dashboard.
Can anyone advise me on how best to rectify these or is it a case of waiting for Nuxt 3?
Any advice would be appreciated, thanks.
Severity High - [email protected] Introduced through: [email protected] › @nuxt/[email protected] › [email protected] › [email protected] Introduced through: [email protected] › @nuxt/[email protected] › @nuxt/[email protected] › [email protected] › [email protected] Introduced through: [email protected] › @nuxt/[email protected] › @nuxt/[email protected] › @nuxt/[email protected] › [email protected] › [email protected]
Severity High - [email protected] Introduced through: [email protected] › @nuxt/[email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected] Introduced through:[email protected] › @nuxt/[email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected] Introduced through: [email protected] › [email protected] › @nuxt/[email protected] › @nuxt/[email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected] Introduced through: [email protected] › @nuxt/[email protected] › @nuxt/[email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected]
Severity High - [email protected] Introduced through: [email protected] › @nuxt/[email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected]
31 more instances for this package, but thought best to just include one example here
Severity Medium - [email protected] Introduced through: [email protected] › @nuxt/[email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected] Introduced through: [email protected] › @nuxt/[email protected] › @nuxt/[email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected]
Severity Medium - [email protected] Introduced through: [email protected] › @nuxt/[email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected] Introduced through: [email protected] › @nuxt/[email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected] Introduced through: [email protected] › @nuxt/[email protected] › @nuxt/[email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected] Introduced through: [email protected] › @nuxt/[email protected] › @nuxt/[email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected]
@XPAULUSX All of the dependencies you list are build-time and are not installed in your built app. This is a helpful summary of the situation.
lodash.template
used in @nuxt/server › vue-renderer
which is runtime dependency but is safe as not used by nuxt. We compile templates at buildtime :)
Thanks for your contribution to Nuxt! This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you would like this issue to remain open:
- Verify that you can still reproduce the issue in the latest version of nuxt-edge
- Comment the steps to reproduce it
Issues that are labeled as pending
will not be automatically marked as stale.
Bear with us, StaleBot, for this issue is pinned! Can someone add whatever label is due?
are these vulnerabilities also not a problem when we need to be complient with PCI compliance standards?
Is there any solution or workarounds to this?
lodash.template used in @nuxt/server › vue-renderer which is runtime dependency but is safe as not used by nuxt. We compile templates at buildtime :)
Even security issues are not applying really - like in this case - having vulnerable packages in production builds will trigger a red flag for security checks for corporate requirements requiring security checks on their deployed apps. Any ideas or solutions on how to achieve that with Nuxt2?
@fago You can use yarn or pnpm resolutions to force a given dependency version to be resolved/installed in your project.
I see, thanks - we'll give that a try.
New security issue: CWE-918 Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url.
[email protected] requires parse-url@^6.0.0 via a transitive dependency on [email protected] The earliest fixed version is 8.1.0.
The git-up
dependency is not used in production, and is used by Nuxt in development/build to parse your own repository url, which I would not regard as vulnerable usage.
The
git-up
dependency is not used in production, and is used by Nuxt in development/build to parse your own repository url, which I would not regard as vulnerable usage.
Oh right! Thank for your answer @danielroe.
Is there is a simple way to check if vulnerability is used in production/dev mode (for future security issues)? Or maybe you could specify in the first post all security issues and their vulnerability levels? Maybe that would help.
@danielroe Hi, there are no security vulnerabilities in Nuxt 2.14.12 right? https://security.snyk.io/package/npm/nuxt/2.14.12
Looks like new things pops out:
axios 0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix --force`
Will install undefined@undefined, which is a breaking change
node_modules/@nuxtjs/auth-next/node_modules/axios
node_modules/axios
@nuxtjs/auth-next *
Depends on vulnerable versions of @nuxtjs/axios
Depends on vulnerable versions of axios
node_modules/@nuxtjs/auth-next
@nuxtjs/axios *
Depends on vulnerable versions of axios
node_modules/@nuxtjs/axios
myproject
+-- @nuxtjs/[email protected]
| `-- [email protected]
`-- @nuxtjs/[email protected]
`-- [email protected]