npm audit security warning

[rosko]

• Operating System: All
• Node Version: Any
• NPM Version: Any
• webpack Version:
• webpack-dev-server Version: <=3.1.14

• This is a bug
• This is a modification request

https://www.npmjs.com/advisories/725

                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Missing Origin Validation                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ webpack-dev-server                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.11                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ webpack-dev-server [dev]                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ webpack-dev-server                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/725                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

[maddev0]

I have the same issue. I have tried: npm audit fix, manual update of webpack-dev-server to version 3.1.14, removal of node_modules and package-lock.json. Nothing of this helps.

With webpack-dev-server version 3.1.10 initially installed npm audit fix says

+ webpack-dev-server@3.1.14
updated 1 package in 3.517s
fixed 1 of 1 vulnerability...

But then npm audit still reports about 1 high severity vulnerability:

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Missing Origin Validation                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ webpack-dev-server                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.11                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ webpack-dev-server [dev]                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ webpack-dev-server                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/725                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 9001 scanned packages
  1 vulnerability requires manual review. See the full report for details.

[SharakPL]

It's probably caused by #1604

[O-J1]

Still getting this issue despite the fact that I am on v3.1.14. Reinstalling does nothing

[pauldraper]

The npmjs advisory is currently inconsistent and there is no 3.1.x patch that npm audit will allow.

https://npm.community/t/advisory-725-inconsistently-marks-affected-versions/4333

[manishaggarwalm]

Not working with webpack-dev-server@3.1.14

[skreborn]

@antimodern Don't worry, you're not being hacked. As you can see, it's trying to access a local address - most likely your own computer. The reason it fails to do so is because you've disconnected from the network, and your computer lost its IP address.

[charlesfaustin]

I'm getting the same issue, updating to 3.1.14 doesnt solve the issue, npm audit still returns the vulnerability after updating

[Diaan]

there seems to be a typo in the vulnerability database: https://npm.community/t/npm-audit-sweems-to-get-semver-wrong/4352/4

[manishaggarwalm]

there seems to be a typo in the vulnerability database: https://npm.community/t/npm-audit-sweems-to-get-semver-wrong/4352/4

You saved my rest of the day

[charlesfaustin]

there seems to be a typo in the vulnerability database: https://npm.community/t/npm-audit-sweems-to-get-semver-wrong/4352/4

how can we get this typo fixed? some builds require npm audit returning a clean bill of health

[Diaan]

how can we get this typo fixed? some builds require npm audit returning a clean bill of health

Not sure, but the link in my previous post is a bug-report at NPM, so maybe voting on it will help it getting resolved faster.

[charlesfaustin]

how can we get this typo fixed? some builds require npm audit returning a clean bill of health

Not sure, but the link in my previous post is a bug-report at NPM, so maybe voting on it will help it getting resolved faster.

done, thanks