vuejs
Dependency on vulnerable version of vue-template-compiler
Vue - Official extension or vue-tsc version
vue-tsc
VSCode version
1.91.1
Vue version
2.7
TypeScript version
5.4.2
System Info
System:
OS: macOS 14.5
CPU: (8) arm64 Apple M1
Memory: 49.92 MB / 16.00 GB
Shell: 3.7.1 - /opt/homebrew/bin/fish
Binaries:
Node: 18.18.2 - ~/.asdf/installs/nodejs/18.18.2/bin/node
npm: 9.8.1 - ~/.asdf/plugins/nodejs/shims/npm
pnpm: 9.5.0 - /opt/homebrew/bin/pnpm
bun: 1.0.1 - ~/.bun/bin/bun
Browsers:
Chrome: 127.0.6533.72
Edge: 126.0.2592.113
Safari: 17.5
Steps to reproduce
Run npm audit on a project with vue-tsc dependency
What is expected?
It should not contain any vulnerability alerts
What is actually happening?
vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS) - https://github.com/advisories/GHSA-g3ch-rx76-35fx
fix available via npm audit fix
node_modules/vue-template-compiler
@vue/language-core *
Depends on vulnerable versions of vue-template-compiler
node_modules/@vue/language-core
@vue/typescript *
Depends on vulnerable versions of @vue/language-core
node_modules/@vue/typescript
vue-tsc >=1.7.0-alpha.0
Depends on vulnerable versions of @vue/language-core
Depends on vulnerable versions of @vue/typescript
node_modules/vue-tsc
Link to minimal reproduction
No response
Any additional comments?
client-side Cross-Site Scripting (XSS) on vue-template-compiler - https://github.com/advisories/GHSA-g3ch-rx76-35fx
The CVE indicates its fixed in 3.0.0 however that is not a version on npm, instead is found at https://www.herodevs.com/support/nes-vue
The CVE indicates its fixed in
3.0.0however that is not a version on npm, instead is found at https://www.herodevs.com/support/nes-vue
This is ridiculous. What's the point of keeping a dep for an EOL framework? Just let those guy make a parallel project for vue2 and terminate its support on this. (Also, no offense, but I see not only they can't make a public release but they don't even know the difference between a major and a patch).
