Description
Version
5.0.8
Reproduction link
- minimatch ReDoS vulnerability
- Exposure of Sensitive Information to an Unauthorized Actor in nanoid
- Regular Expression Denial of Service in postcss
- PostCSS line return parsing error
Environment info
System:
OS: Windows 10 10.0.19045
CPU: (16) x64 12th Gen Intel(R) Core(TM) i7-1260P
Binaries:
Node: 14.21.3 - C:\Program Files\nodejs\node.EXE
npmPackages:
@vue/cli-plugin-unit-mocha: 5.0.8 => 5.0.8
@vue/cli-service: 5.0.8 => 5.0.8
vue: 2.7.14 => 2.7.14
Steps to reproduce
Run npm audit on any application using @vue/cli-plugin-unit-mocha and @vue/cli-service - Version 5.0.8
Output:
High minimatch ReDoS vulnerability
Package minimatch
Dependency of @vue/cli-plugin-unit-mocha [dev]
Path @vue/cli-plugin-unit-mocha > mocha > glob > minimatch
More info GHSA-f8q6-p94x-37v3
High minimatch ReDoS vulnerability
Package minimatch
Patched in >=3.0.5
Dependency of @vue/cli-plugin-unit-mocha [dev]
Path @vue/cli-plugin-unit-mocha > mocha > minimatch
More info GHSA-f8q6-p94x-37v3
Moderate Exposure of Sensitive Information to an Unauthorized Actor in nanoid
Package nanoid
Patched in >=3.1.31
Dependency of @vue/cli-plugin-unit-mocha [dev]
Path @vue/cli-plugin-unit-mocha > mocha > nanoid
More info GHSA-qrpm-p2h7-hrv2
Moderate PostCSS line return parsing error
Package postcss
Patched in >=8.4.31
Dependency of @vue/cli-service [dev]
Path @vue/cli-service > @vue/component-compiler-utils > postcss
More info GHSA-7fh5-64p2-3v2j
Moderate PostCSS line return parsing error
Package postcss
Patched in >=8.4.31
Dependency of @vue/cli-service [dev]
Path @vue/cli-service > @vue/vue-loader-v15 >@vue/component-compiler-utils > postcss
More info GHSA-7fh5-64p2-3v2j
What is expected?
There should not be any vulnerabilities
What is actually happening?
There are existing vulnerabilities