Vulnerability with dependency vue-template-compiler

[multiestetica]

Hello,

We have the last webpack-encore version installed 4.6.1 and since today we are facing a problem with a package dependency of this.
The package is vue-template-compiler and the message after executing npm audit is:

# npm audit report

vue-template-compiler  >=2.0.0
Severity: moderate
vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS) - https://github.com/advisories/GHSA-g3ch-rx76-35fx
fix available via `npm audit fix --force`
Will install @symfony/webpack-encore@3.1.0, which is a breaking change
node_modules/vue-template-compiler
  @symfony/webpack-encore  >=4.0.0
  Depends on vulnerable versions of vue-template-compiler
  node_modules/@symfony/webpack-encore

2 moderate severity vulnerabilities

The solution according to npm is to downgrade the encore package but it doesn't seem a good solution to me.

Our encore configuration is:

    // Enables VUE
    .enableVueLoader(
        () => {},
        {
            runtimeCompilerBuild: false,
            version: 3,
        }
    )

The vulnerability is supposed to affect vue2 and not vue3 and we are using vue3 as shown in the config above.
What can we do here? Is there any way to skip the usage of this package?

[Kocal]

Hi, it looks like there is no patched version. The link says "patched in 3.0.0" but I don't see any release 3.0.0 in https://www.npmjs.com/package/vue-template-compiler?activeTab=versions

But, since you use Vue 3 and not Vue 2, you can simply remove the dependency vue-template-compiler. Encore does not install it automatically (since it's a dev/optional peer dependency), so you must remove it yourself.

Here are the dependencies needed to use Vue 3 in Webpack Encore: https://github.com/symfony/webpack-encore/blob/main/lib/features.js#L108-L118

[multiestetica]

Hi @Kocal thanks for the quick reply.

I just removed the package you mentioned with npm remove vue-template-compiler but it seems to have the same problem when I execute npm install.
I see that webpack-encore has it as a devDependency here https://github.com/symfony/webpack-encore/blob/main/package.json

It's strange that after removing it, the audit fails even if the package is optional. Is there any other thing I can try?

[Kocal]

By curiosity, how did you install Webpack Encore?
AFAIK when you install a package, only its "prod" dependencies are downloaded, not the dev dependencies.

[multiestetica]

Hi,

I have the "@symfony/webpack-encore": "^4.4.0" inside the "dependencies" attribute of the package.json:

"dependencies": {
    "@symfony/webpack-encore": "^4.4.0"
  }

When we execute the npm install (without any options) the following output appears:
2 moderate severity vulnerabilities

And executing the npm audit same happens.

I tried executing it with the flag --omit=optional and then it works fine but I suspect doing this it's not the best idea.

Any other ideas?

[Kocal]

I can see the point to for npm to audit any dependencies of your dependencies, but come on, even for optional peer dependencies that are not installed? 🥲

I believe you have two solutions:

• keep using --omit=optional
• or wait for Encore's removal of Vue 2 support

[Kocal]

I think the 2nd option is doable, https://v2.vuejs.org/eol/ is doable, in a new major version of Encore.

[multiestetica]

Ok thanks!
From now I think I am going to wait for the support removal because I want to make sure I don't miss anything with the omit flag.
I don't understand why the audit works this way, IMHO it should check only the installed packages, but maybe have sense internally..

Do you know if there is any plan with the support removal from webpack encore team? Should we create a different issue?

[Kocal]

Do you know if there is any plan with the support removal from webpack encore team? Should we create a different issue?

Nothing I can tell you right now, but yeah we can open an issue!

[multiestetica]

Thanks @Kocal !