Comments (10)
DanielRuf
commented on June 12, 2024
1
I wonder if people use dev tools in production, or what justifies to patch even more versions?
Just curious because you can never have 0 vulnerabilities in your dev tools: https://overreacted.io/npm-audit-broken-by-design/
I have to deal with CVEs on a daily basis at work, and there we can and will not patch every problem, especially in dev tools. When we use CVSS v4 and EPSS as part of correct risk management, most findings often pose no real risk - unless you use dev tools on a production server.
from webpack-dev-middleware.
DanielRuf
commented on June 12, 2024
Should be already patched:
from webpack-dev-middleware.
alexander-akait
commented on June 12, 2024
Already fixed, the answer above, thank you
from webpack-dev-middleware.
rumpnizz
commented on June 12, 2024
I'm not sure this is properly fixed for 6.1.2.
Looking at the version6-middleware.js#L103, extra isn't passed to getFilenameFromUrl
This compared to the other versions version5-middleware.js#L104 and latest-middleware.js#L184.
Or is it handled differently in 6.1.2?
from webpack-dev-middleware.
alexander-akait
commented on June 12, 2024
@rumpnizz yeah, good catch 👍
from webpack-dev-middleware.
navalamol
commented on June 12, 2024
Hi Team, Can we get this patched in version 3 & 4 as well ?
3.7.3 & 4.3.0 are also widely used libraries. As they are transitive dependencies which further rely on previous node versions. So possibly these are also in use.
It would be great if we can patch fix in above versions
from webpack-dev-middleware.
alexander-akait
commented on June 12, 2024
We use ~ eveywhere, so you can update deps locally
from webpack-dev-middleware.
navalamol
commented on June 12, 2024
I understand that but we are enforced to use 3.x.x & 4.x.x versions of webpack-dev-middleware due to certain limitations.
You have provided a patch for 5.x.x, 6.x.x & 7.x.x versions. So my request was to provide patch for 3.x.x & 4.x.x versions. Thanks
from webpack-dev-middleware.
alexander-akait
commented on June 12, 2024
They are outdated, anyway I can accept your PR to patch them
from webpack-dev-middleware.
DanielRuf
commented on June 12, 2024
To quote from the linked GHSA entry:
If the development server is listening on a public IP address (or 0.0.0.0), an attacker on the local network can access the local files without any interaction from the victim (direct connection to the port).
If
- your OS exposes all ports to the outside
- AND your router allows accessing devices from the outside via any port (port forwarding)
then you have basically two dangerous and not recommended misconfigurations, which pose even higher risks.
from webpack-dev-middleware.
Related Issues (20)
- Problem with filesystem import
- Problem with file system import HOT 1
- Support for multipart range requests HOT 2
- Configurable logging HOT 1
- Bump memfs to 3.4.2 HOT 3
- [5.3.2] .d.ts references dom Request/Response HOT 5
- How to reference in-memory bundle from webpack-dev-middleware ? HOT 2
- Error: EPIPE: broken pipe, write causing livereload to break on Windows HOT 2
- Shared content base for multiple compiler instances HOT 6
- Propuesta
- Nueva propuesta
- Adding Hapi To The Other Servers Section Of README HOT 3
- Incorrect stats position field in res object HOT 10
- Incorrect content type when using typescript worker in dev server HOT 4
- middleware blocks on requests to non-webpack assets HOT 14
- Upgrade memfs HOT 1
- Bump json-joy dependency to new version due to bug fix with reserved windows file names HOT 2
- memorize util printed out CACHE key HOT 1
- Error `Uncaught SyntaxError: Invalid or unexpected token` since v7.1.0 HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webpack-dev-middleware.