Security issue with css-what in @vue/cli-service 4.5.13

[ahermant]

Version

4.5.13

Reproduction link

https://github.com/ahermant/vue-cli-service-issue

Environment info

Environment Info:

  System:
    OS: macOS 11.2.2
    CPU: (16) x64 Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz
  Binaries:
    Node: 12.21.0 - ~/.nvm/versions/node/v12.21.0/bin/node
    Yarn: 1.22.10 - /usr/local/bin/yarn
    npm: 6.14.11 - ~/.nvm/versions/node/v12.21.0/bin/npm
  Browsers:
    Chrome: 91.0.4472.77
    Edge: Not Found
    Firefox: 89.0
    Safari: 14.0.3
  npmPackages:
    @vue/babel-helper-vue-jsx-merge-props:  1.2.1 
    @vue/babel-helper-vue-transform-on:  1.0.2 
    @vue/babel-plugin-jsx:  1.0.6 
    @vue/babel-plugin-transform-vue-jsx:  1.2.1 
    @vue/babel-preset-app:  4.5.13 
    @vue/babel-preset-jsx:  1.2.4 
    @vue/babel-sugar-composition-api-inject-h:  1.2.1 
    @vue/babel-sugar-composition-api-render-instance:  1.2.4 
    @vue/babel-sugar-functional-vue:  1.2.2 
    @vue/babel-sugar-inject-h:  1.2.2 
    @vue/babel-sugar-v-model:  1.2.3 
    @vue/babel-sugar-v-on:  1.2.3 
    @vue/cli-overlay:  4.5.13 
    @vue/cli-plugin-babel: ~4.5.0 => 4.5.13 
    @vue/cli-plugin-eslint: ~4.5.0 => 4.5.13 
    @vue/cli-plugin-router:  4.5.13 
    @vue/cli-plugin-vuex:  4.5.13 
    @vue/cli-service: ~4.5.0 => 4.5.13 
    @vue/cli-shared-utils:  4.5.13 
    @vue/component-compiler-utils:  3.2.0 
    @vue/preload-webpack-plugin:  1.1.2 
    @vue/web-component-wrapper:  1.3.0 
    eslint-plugin-vue: ^6.2.2 => 6.2.2 
    vue: ^2.6.11 => 2.6.14 
    vue-eslint-parser:  7.6.0 
    vue-hot-reload-api:  2.3.4 
    vue-loader:  15.9.7 (16.2.0)
    vue-style-loader:  4.1.3 
    vue-template-compiler: ^2.6.11 => 2.6.14 
    vue-template-es2015-compiler:  1.9.1 
  npmGlobalPackages:
    @vue/cli: 4.5.13

Steps to reproduce

run yarn audit or npm audit on a project with @vue/cli-service 4.5.13

What is expected?

No security issue

What is actually happening?

4 security issues spotted on css-what

[jeanrp]

Same problem here

[MateusGaldinoLG]

i have here the same problem. NPM gives a link explaining what is wrong with css-what: https://www.npmjs.com/advisories/1754.
the fix is to update the css-what version to its new version (5.0.1)

[echojoshchen]

I see this issue as well, and another vulnerability has been reported for normalize-url.

[Halceyon]

I'm seeing the same for normalize-url on v4.5.13:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ normalize-url │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @vue/cli-service [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @vue/cli-service > @intervolga/optimize-cssnano-plugin > │
│ │ cssnano > cssnano-preset-default > postcss-normalize-url > │
│ │ normalize-url │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1755 │
└───────────────┴──────────────────────────────────────────────────────────────┘

[alimony]

How is a high severity vulnerability in one of the most popular JS frameworks not fixed ten days after the issue is opened?

[mtermoul]

I have the same issue here. npm audit is saying:

css-what  <5.0.1
Severity: high
Denial of Service - https://npmjs.com/advisories/1754
fix available via `npm audit fix --force`
Will install @vue/cli-service@3.12.1, which is a breaking change
node_modules/svgo/node_modules/css-what
  css-select  <=3.1.2
  Depends on vulnerable versions of css-what
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 2.3.0
    Depends on vulnerable versions of css-select
    node_modules/svgo
      postcss-svgo  4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
      Depends on vulnerable versions of svgo
      node_modules/postcss-svgo
        cssnano-preset-default  <=4.0.8
        Depends on vulnerable versions of postcss-svgo
        node_modules/cssnano-preset-default
          @intervolga/optimize-cssnano-plugin  >=1.0.2
          Depends on vulnerable versions of cssnano-preset-default
          node_modules/@intervolga/optimize-cssnano-plugin
            @vue/cli-service  *
            Depends on vulnerable versions of @intervolga/optimize-cssnano-plugin
            Depends on vulnerable versions of copy-webpack-plugin
            Depends on vulnerable versions of cssnano
            Depends on vulnerable versions of globby
            Depends on vulnerable versions of webpack-dev-server
            node_modules/@vue/cli-service
          cssnano  4.0.0-nightly.2020.1.9 - 4.1.11
          Depends on vulnerable versions of cssnano-preset-default
          node_modules/cssnano

And when I do npm ls css-what I got the following

└─┬ @vue/cli-service@4.5.13
  ├─┬ @intervolga/optimize-cssnano-plugin@1.0.6
  │ └─┬ cssnano-preset-default@4.0.8
  │   └─┬ postcss-svgo@4.0.3
  │     └─┬ svgo@1.3.2
  │       └─┬ css-select@2.1.0
  │         └── css-what@3.4.2
  └─┬ html-webpack-plugin@3.2.0
    └─┬ pretty-error@2.1.2
      └─┬ renderkid@2.0.7
        └─┬ css-select@4.1.3
          └── css-what@5.0.1

So obviously @vue/cli-service@4.5.13 need to use a different version of css-what to fix the issue.

[dosstx]

Please keep us updated.

[nguyenlam123]

Also experiencing this using yarn. Does anyone have a suggested workaround in the mean time? Ideally, one should use the next version, but I am asking since the issue has been opened a "while"(all is relative right? 😄).

[wforbes]

"css-select" is still calling for ^5.0.0 and that's what's directly using "css-what" here
So, even though "css-what" fixed the linear parsing issue and updated to 5.0.1 on 5/28, we'll be getting this warning until "css-select" accepts this pull request fb55/css-select#489 .... or this one ... fb55/css-select#490 lol

(css-what fix fb55/css-what@4cdaacf )

[jgunawancode]

Isn't the issue stem from vue-cli-service has a dependency on "@intervolga/optimize-cssnano-plugin"? That library has dependencies that depends on old version of "css-what". That library also has not been updated for 3+ years, maybe vue-cli-service needs to remove dependency to "@intervolga/optimize-cssnano-plugin" and use any of the library below?

https://github.com/webpack-contrib/css-minimizer-webpack-plugin#readme
https://github.com/NMFR/optimize-css-assets-webpack-plugin

[HotchaiLLC]

For some reason, the security issue with css-what was gone in my environment...
How about you guys?

[alimony]

@HotchaiLLC Not seeing this anymore, I guess some of the downstream dependencies were finally updated.