Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A vulnerability found in webpack-dev-server #1445

Closed
chromium1337 opened this issue Jul 24, 2018 · 9 comments
Closed

A vulnerability found in webpack-dev-server #1445

chromium1337 opened this issue Jul 24, 2018 · 9 comments

Comments

@chromium1337
Copy link

Hi, I found a vulnerability in webpack-dev-server, how do I report it to you?

@alexander-akait
Copy link
Member

@chromium1337 It is problem in dependencies or in webpack-dev-server code?

@chromium1337
Copy link
Author

@evilebottnawi It's in webpack-dev-server code, not dependencies.

@alexander-akait
Copy link
Member

@chromium1337 please send details to sheo13666q @ gmail . com

@yagoestevez
Copy link

Hi,
Not sure if it's the same vulnerability. I was just warn by NPM about these vulnerabilities which webpack-dev-server depends on:
vulnerabilities

@rschultheis
Copy link

👋 Hi I am looking at this issue as it seems to relate to these security advisories:

As far as I can tell, the fix commit has not made it to master nor been released? Both the NPM Advisory and CVE report a fix version of 3.1.6, but nothing in 3.1.6 release looks like the fix for this? The bugfix/origin-header branch needs a PR and to get merged and deployed.

Am I mistaken or has the fix for this not really been deployed?

This package is widely used so I am looking at this from the perspective of making sure the public data sources are correct.

CC fix commit author @sokra

@alexander-akait
Copy link
Member

this package should be used only for development purpose, so it is not very high priority

@alexander-akait
Copy link
Member

Done in [email protected]

jdleesmiller added a commit to jdleesmiller/twenty48 that referenced this issue Jan 5, 2019
@xhocquet
Copy link

@evilebottnawi Could you please advise the state of this vulnerability in webpack-dev-server 2.11.3? Is this vulnerability present, and if so is there a possibility of adding this patch as a security update?

@kfern
Copy link

kfern commented Jan 26, 2019

In webpack-dev-server 2.11.3, npm audit found 1 high severity vulnerability.
+1 @xhocquet . We need a 2.x security update patch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

7 participants