How do you properly deal with Vue vulnerabilities when using npm

Question

So I tried creating a Vue 2 project and it works fine, the only issue is that there are 20 vulnerabilities, where as 9 of them are "High".

I tried running npm audit fix, as well as npm audit fix --force. None of them worked. prior to running "npm audit fix --force" I only had 18 errors.

What's the proper way of resolving issues like this?

# npm audit report

css-what  <5.0.1
Severity: high
Denial of Service - https://npmjs.com/advisories/1754
fix available via `npm audit fix --force`
Will install @vue/cli-service@4.5.13, which is a breaking change
node_modules/svgo/node_modules/css-what
  css-select  <=3.1.2
  Depends on vulnerable versions of css-what
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 2.3.0
    Depends on vulnerable versions of css-select
    node_modules/svgo
      postcss-svgo  4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
      Depends on vulnerable versions of svgo
      node_modules/postcss-svgo
        cssnano-preset-default  <=4.0.8
        Depends on vulnerable versions of postcss-svgo
        node_modules/cssnano-preset-default
          @intervolga/optimize-cssnano-plugin  >=1.0.2
          Depends on vulnerable versions of cssnano-preset-default
          node_modules/@intervolga/optimize-cssnano-plugin
            @vue/cli-service  *
            Depends on vulnerable versions of @intervolga/optimize-cssnano-plugin
            Depends on vulnerable versions of copy-webpack-plugin
            Depends on vulnerable versions of cssnano
            Depends on vulnerable versions of globby
            Depends on vulnerable versions of webpack-dev-server
            node_modules/@vue/cli-service
          cssnano  4.0.0-nightly.2020.1.9 - 4.1.11
          Depends on vulnerable versions of cssnano-preset-default
          node_modules/cssnano

glob-parent  <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via `npm audit fix --force`
Will install @vue/cli-service@4.5.13, which is a breaking change
node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchpack-chokidar2/node_modules/chokidar
  node_modules/webpack-dev-server/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack
        node_modules/webpack
    webpack-dev-server  2.0.0-beta - 3.11.2
    Depends on vulnerable versions of chokidar
    node_modules/webpack-dev-server
      @vue/cli-service  *
      Depends on vulnerable versions of @intervolga/optimize-cssnano-plugin
      Depends on vulnerable versions of copy-webpack-plugin
      Depends on vulnerable versions of cssnano
      Depends on vulnerable versions of globby
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@vue/cli-service
  fast-glob  <=2.2.7
  Depends on vulnerable versions of glob-parent
  node_modules/fast-glob
    globby  8.0.0 - 9.2.0
    Depends on vulnerable versions of fast-glob
    node_modules/globby

serialize-javascript  <=3.0.0
Severity: high
Cross-Site Scripting - https://npmjs.com/advisories/1426
Remote Code Execution - https://npmjs.com/advisories/1548
fix available via `npm audit fix --force`
Will install @vue/cli-service@4.5.13, which is a breaking change
node_modules/copy-webpack-plugin/node_modules/serialize-javascript
  copy-webpack-plugin  4.3.0 - 5.0.4
  Depends on vulnerable versions of cacache
  Depends on vulnerable versions of serialize-javascript
  node_modules/copy-webpack-plugin
    @vue/cli-service  *
    Depends on vulnerable versions of @intervolga/optimize-cssnano-plugin
    Depends on vulnerable versions of copy-webpack-plugin
    Depends on vulnerable versions of cssnano
    Depends on vulnerable versions of globby
    Depends on vulnerable versions of webpack-dev-server
    node_modules/@vue/cli-service

ssri  5.2.2 - 6.0.1 || 7.0.0 - 7.1.0 || 8.0.0
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/565
fix available via `npm audit fix --force`
Will install @vue/cli-service@4.5.13, which is a breaking change
node_modules/copy-webpack-plugin/node_modules/ssri
  cacache  10.0.4 - 11.0.0
  Depends on vulnerable versions of ssri
  node_modules/copy-webpack-plugin/node_modules/cacache
    copy-webpack-plugin  4.3.0 - 5.0.4
    Depends on vulnerable versions of cacache
    Depends on vulnerable versions of serialize-javascript
    node_modules/copy-webpack-plugin
      @vue/cli-service  *
      Depends on vulnerable versions of @intervolga/optimize-cssnano-plugin
      Depends on vulnerable versions of copy-webpack-plugin
      Depends on vulnerable versions of cssnano
      Depends on vulnerable versions of globby
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@vue/cli-service

20 vulnerabilities (11 moderate, 9 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Does this answer your question? [How to fix @vue/cli Vulnerabilities?](https://stackoverflow.com/questions/67804481/how-to-fix-vue-cli-vulnerabilities) — Michal Levý, Jul 02 '21 at 22:50

How do you properly deal with Vue vulnerabilities when using npm

0 Answers0