Nuxt2 Security advisories

[pi0]

While we are working on Nuxt 3 stable release, Nuxt 2 has to keep some dependencies in their older versions to avoid breaking changes. These include webpack@4, postcss@7 and core-js@2. (Update: You can now migrate to nuxt bridge: https://nuxt.com/docs/bridge/overview)

As a result, some sub-dependencies are being obsolete, and eventually, some vulnerabilities are being discovered in them. This doesn't always mean Nuxt is vulnerable since most of them are applicable when untrusted user input is involved while these sub-dependencies in Nuxt are used in the build step and during development only.

You have to take care of these security issues immediately:

ID	Related Package	Status	Description
GitHub issue	@nuxt/webpack > cssnano > cssnano-preset-default > postcss-svgo > svgo	⚠️ Urgent	Use resolution to prevent installing malicious version
GHSA-pjwm-rvh2-c87w	@nuxt/utils > ua-parser-js	⚠️ Attention	Update lock file and local cache
vuejs/vue-router#3652	vue-router	⚠️ Minor	Update the lockfile to use vue-routeer>=3.5.3

This is an informative listing of current safe-to-ignore (false positive) vulnerabilities :

ID	Related Package	Status
GHSA-4jqc-8m5r-9rpr	webpack >> set-value	🔰 Not affecting
GHSA-rp65-9cf3-cjxr	webpack >> nth-check	🔰 Not affecting

These issues have been solved in the dependency tree. It is advised to renew the lock file (package-lock.json and yarn. lock) to get the fixes.

ID	Related Package	Status	Description
SNYK-JS-UAPARSERJS-1766952
2021-23368	postcss@7	✅ Fixed	Is only vulnerable for online tools like codepen that directly compile user css (patch notes)
2021-27290	ssri@6.0.2	✅ Fixed	Is only vulnerable to DoS attack if webpack is compiling untrusted code
2021-33502	normalize-url@<4.5.1, <5.3.1, <6.0.1	✅ Fixed	Is only vulnerable to DoS attack if webpack is compiling untrusted code
2021-33587	css-what@<5.0.1	✅ Fixed	Is only vulnerable to DoS attack if @nuxt/generator is processing untrusted code
2021-33502	normalize-url<4.5.1, 5.3.1, 6.0.1	✅ Fixed	Is only vulnerable to DoS attack if extract-css-chunks-webpack-plugin is compiling untrusted css code
2020-28469	glob-parent<5.1.2	✅ Fixed	Is only vulnerable to DoS attack when in an untrusted development environment

Notes:

• If you are directly using the above dependencies in production or in a solution other than nuxt, they should be considered
• We regularly update lock-file and check advisories using automated GithubActions
• If you found a security issue nuxt sub-dependency which is not mentioned above, please let us know via security [at] nuxtjs.org
• Generally, you should consider security advisories unless mentioned here as safe, if used in a build-only step or you are sure about its safety

[metasean]

I understand that for most projects these are false positives, but all those false positives are still causing a lot of vulnerability warnings (currently the 145 shown below) that we need to weed through in an attempt to identify if there are any actual security issues.

There's got to be a better way to handle this.

[metasean]

[metasean]

[metasean]

@danielroe - I know how to add expandable details to github issues (it's a pretty great feature), so if I had wanted my last three comments to have the vulnerability warnings collapsed I would have done so. Normally, with that much text to wade through, I would absolutely have made them expandable.

Which brings us to why I didn't collapse them when I made my previous responses and why I've reverted your edits to collapse them.

100% of my last three comments are about the problems that simply having these vulnerability warnings in our audits —vulnerability warnings which we cannot collapse in our audits— can cause, even if these warning are just false positives. The problem my comments are addressing are precisely because there are so many warnings to wade through.

While, for many NuxtJS projects, the intent of the warnings are moot (because they're false positives), because this transitive dependency is used so extensively throughout NuxtJS, the decision to not identify a fix that will actually resolve the resulting warnings is itself overwhelmingly problematic.

Thus, I very intentionally gathered, formatted, and included, in an equally intentionally, uncollapsed format, that overwhelming list of vulnerability warnings so as to highlight just how overwhelmingly problematic the list of vulnerability warnings is.

[edited to add]
If a plan is identified which will result in these warnings being removed from our audit outputs, then I'll be very happy (ecstatic even) to collapse the warnings listed in the previous 3 comments!

[danielroe]

@metasean I understand you're frustrated. This is something we all experience at the moment when running npm audit so you're not alone. However, its output is not within the control of Nuxt, and in fact there are tools to address the issues you are reporting, such as better-npm-audit. Specifying package dependencies explicitly is best practice - and, in fact, required for pnp support. (You might also consider using https://github.com/nuxt/postcss8 + a yarn resolution to ensure that only PostCSS 8 will be installed.)

As it happens, we do plan to upgrade Nuxt to PostCSS 8 as soon as practicable, though as it is a breaking change it needs to be done carefully and with forethought. You can follow #8087 for updates.

Finally, I've minimised your comments again to ensure this issue remains readable and useful for others. Making your point in the way you did is not kind or considerate, though I trust that was not your intention.

[moleCuleFFF]

@danielroe Can we get this updated with the error regarding css-what please.

#9404

[yu1222]

@pi0
Regarding the security issue, is the change included in version 2.15.7?
I can't find the change(release note) in the code. 🙇
https://github.com/nuxt/nuxt.js/releases/tag/v2.15.7

Security advisory
Please upgrade to nuxt@^2.15.7 if using nuxt@2.15.5 or nuxt@2.15.6

[pi0]

@yu1222 Yes, it is in 2.5.7. It is related to #9431.

[simonbrent]

I also see security issues for

• glob-parent (moderate: https://www.npmjs.com/advisories/1751) nuxt > @nuxt/webpack > webpack > watchpack > watchpack-chokidar2 > chokidar > glob-parent
• trim-newlines (high https://www.npmjs.com/advisories/1753) node-sass > meow > trim-newlines

While trim-newlines is not a dependency of nuxt, nuxt doesn't work with sass-loader > v10, which requires node-sass v5 (the dependency is updated in node-sass v6)

Is it worth mentioning either/both of these at the top?