Reputation: 11
How to handle path traversal vulnerability in webpack-dev-middleware with Vue CLI dependency constraints?
I'm dealing with a security vulnerability in webpack-dev-middleware reported as CVE-2024-29180, which involves insufficient URL validation that allows path traversal attacks. Dependabot flagged this issue but cannot update webpack-dev-middleware to a non-vulnerable version due to conflicting dependencies in my project that uses Vue CLI.
The specific conflict arises because @vue/[email protected] requires webpack-dev-middleware@^3.7.2 via [email protected], and the fixed version for the vulnerability starts from 5.3.4.
Given this dependency chain, updating to a secure version seems non-trivial. Here’s more detail on the vulnerability:
- Affected versions: <= 5.3.3
- Patched version: 5.3.4
Questions:
- How can I safely update webpack-dev-middleware in a project that depends on @vue/[email protected]?
- Is there a workaround to mitigate this vulnerability without upgrading the entire Vue CLI or webpack stack?
- Can anyone suggest best practices for configuring devServer or devMiddleware to prevent such vulnerabilities in future setups?
Upvotes: 1
Views: 1149
Answers (1)
Reputation: 11
I resolved this issue by simply upgrading the webpack-dev-middleware package. It suggests that the package is vulnerable below or equal to the 5.3.3 version.
npm install [email protected] -D
And put the package to the overrides in package.json
NOTE: After adding this please delete node_modules and package-lock.json and reinstall
Upvotes: 0
Related Questions
- How to change port number in vue-cli project
- Command not found with vue-cli
- how to fix vue-cli-service vulnerability?
- Snyk vulnerability scan not recognizing overriden nested package dependencies
- Location of webpack config file in vue-cli webpack project?
- How to disable ESLint in vue-cli?
- Verify path traversal vulnerability in web server