CVE-2018-14732 webpack-dev-server #460
Comments
|
The maintainer just released |
|
Thanks @rschultheis for letting us know. I appreciate you jumping on the repo and sharing and PRing this. |
marado
added a commit
to marado/simple-tetris
that referenced
this issue
Apr 22, 2019
webpack-dev-server 3.1.10 has a security vulnerability[1] that was fixed on 3.1.11. That version is retrocompatible, so this patch simply bumps the dependency. [1] nodejs/security-wg#460
robertrypula
pushed a commit
to robertrypula/simple-tetris
that referenced
this issue
Apr 24, 2019
webpack-dev-server 3.1.10 has a security vulnerability[1] that was fixed on 3.1.11. That version is retrocompatible, so this patch simply bumps the dependency. [1] nodejs/security-wg#460
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
👋
I've been looking at this CVE-2018-14732, and also the corresponding NPM Advisory: https://www.npmjs.com/advisories/725
It seems like this should be added into this repo? I'd be happy to submit a PR if ya'll agree. Not sure I understand all the policies of this repo, is it ideally supposed to contain all the public NPM CVEs?
Also, there is a problem with the CVE Data and the Advisory in NPM too. This comment outlines the problem. The CVE/NPM Advisory claim this is fixed in
web pack-dev-server 3.1.6, but it is not. The fix is in an un-merged branch. All that is needed for a fix is a PR and a release, but not clear if the maintainers are going to do that. I'm looking for any help to either get the CVE corrected and/or get a patch released.webpack-dev-serveris widely used, though in a development context. The exploitability of this is not clear to me. Can someone backup the maintainers claim that the exploitability of this is low?Much thanks 🙇
The text was updated successfully, but these errors were encountered: