-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2018-14732 webpack-dev-server #460
Comments
The maintainer just released |
Thanks @rschultheis for letting us know. I appreciate you jumping on the repo and sharing and PRing this. |
webpack-dev-server 3.1.10 has a security vulnerability[1] that was fixed on 3.1.11. That version is retrocompatible, so this patch simply bumps the dependency. [1] nodejs/security-wg#460
webpack-dev-server 3.1.10 has a security vulnerability[1] that was fixed on 3.1.11. That version is retrocompatible, so this patch simply bumps the dependency. [1] nodejs/security-wg#460
👋
I've been looking at this CVE-2018-14732, and also the corresponding NPM Advisory: https://www.npmjs.com/advisories/725
It seems like this should be added into this repo? I'd be happy to submit a PR if ya'll agree. Not sure I understand all the policies of this repo, is it ideally supposed to contain all the public NPM CVEs?
Also, there is a problem with the CVE Data and the Advisory in NPM too. This comment outlines the problem. The CVE/NPM Advisory claim this is fixed in
web pack-dev-server 3.1.6
, but it is not. The fix is in an un-merged branch. All that is needed for a fix is a PR and a release, but not clear if the maintainers are going to do that. I'm looking for any help to either get the CVE corrected and/or get a patch released.webpack-dev-server
is widely used, though in a development context. The exploitability of this is not clear to me. Can someone backup the maintainers claim that the exploitability of this is low?Much thanks 🙇
The text was updated successfully, but these errors were encountered: