Security vulnerability with VuePress 1.8.2

[frudolph77]

• I confirm that this is an issue rather than a question.

Bug report

Steps to reproduce

$ npx create-vuepress-site
$ cd docs
$ npm install
...

found 12 vulnerabilities (7 moderate, 5 high)
  run `npm audit fix` to fix them, or `npm audit` for details

$ npm audit
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │  Inefficient Regular Expression Complexity in                │
│               │ chalk/ansi-regex                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ansi-regex                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ vuepress [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > @vuepress/core > webpackbar > wrap-ansi >         │
│               │ string-width > strip-ansi > ansi-regex                       │

├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > @vuepress/core > webpack-dev-server > yargs >     │
│               │ cliui > string-width > strip-ansi > ansi-regex               │

├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > @vuepress/core > webpack-dev-server > yargs >     │
│               │ cliui > wrap-ansi > string-width > strip-ansi > ansi-regex   │

├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > @vuepress/core > webpack-dev-server > yargs >     │
│               │ cliui > strip-ansi > ansi-regex                              │

├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > @vuepress/core > webpackbar > wrap-ansi >         │
│               │ strip-ansi > ansi-regex                                      │

├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > @vuepress/core > webpack-dev-server > yargs >     │
│               │ cliui > wrap-ansi > strip-ansi > ansi-regex                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-93q8-gq69-wqmw            │
└───────────────┴──────────────────────────────────────────────────────────────┘

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Inefficient Regular Expression Complexity in nth-check       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ nth-check                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ vuepress [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > @vuepress/core >                                  │
│               │ optimize-css-assets-webpack-plugin > cssnano >               │
│               │ cssnano-preset-default > postcss-svgo > svgo > css-select >  │
│               │ nth-check                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-rp65-9cf3-cjxr            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ vuepress [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > @vuepress/core > chokidar > glob-parent           │

├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > @vuepress/core > webpack-dev-server > chokidar >  │
│               │ glob-parent                                                  │

├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > @vuepress/core > @vuepress/shared-utils > globby  │
│               │ > fast-glob > glob-parent                                    │

├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > @vuepress/core > @vuepress/markdown >             │
│               │ @vuepress/shared-utils > globby > fast-glob > glob-parent    │

├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > @vuepress/core > @vuepress/markdown-loader >      │
│               │ @vuepress/markdown > @vuepress/shared-utils > globby >       │
│               │ fast-glob > glob-parent                                      │

├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-ww39-953v-wcq6            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 12 vulnerabilities (7 moderate, 5 high) in 1232 scanned packages
  12 vulnerabilities require manual review. See the full report for details.

What is expected?

Zero security vulnerability

What is actually happening?

Twelve security vulnerability

Other relevant information

• Output of npx vuepress info in my VuePress project:

Environment Info:

  System:
    OS: Linux 5.4 Ubuntu 18.04.6 LTS (Bionic Beaver)
    CPU: (8) x64 Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz
  Binaries:
    Node: 14.16.0 - ~/.nvm/versions/node/v14.16.0/bin/node
    Yarn: 1.22.5 - /usr/bin/yarn
    npm: 6.14.11 - ~/.nvm/versions/node/v14.16.0/bin/npm
  Browsers:
    Chrome: 95.0.4638.69
    Firefox: 94.0
  npmPackages:
    @vuepress/core:  1.8.2 
    @vuepress/theme-default:  1.8.2 
    vuepress: ^1.5.3 => 1.8.2 
  npmGlobalPackages:
    vuepress: Not Found

If have deep dived into the modules

• Regarding chalk

VuePress@0.0.1 /home/.../VuePress/docs
└─┬ vuepress@1.8.2
  ├─┬ @vuepress/core@1.8.2
  │ ├─┬ vue-server-renderer@2.6.14
  │ │ └─┬ chalk@1.1.3
  │ │   └─┬ has-ansi@2.0.0
  │ │     └── ansi-regex@2.1.1  deduped
  │ ├─┬ webpack-dev-server@3.11.3
  │ │ ├─┬ strip-ansi@3.0.1
  │ │ │ └── ansi-regex@2.1.1 
  │ │ └─┬ yargs@13.3.2
  │ │   ├─┬ cliui@5.0.0
  │ │   │ └─┬ strip-ansi@5.2.0
  │ │   │   └── ansi-regex@4.1.0 
  │ │   └─┬ string-width@3.1.0
  │ │     └─┬ strip-ansi@5.2.0
  │ │       └── ansi-regex@4.1.0 
  │ └─┬ webpackbar@3.2.0
  │   └─┬ wrap-ansi@5.1.0
  │     └─┬ strip-ansi@5.2.0
  │       └── ansi-regex@4.1.0 
  └─┬ update-notifier@4.1.3
    └─┬ boxen@4.2.0
      ├─┬ ansi-align@3.0.1
      │ └─┬ string-width@4.2.3
      │   └─┬ strip-ansi@6.0.1
      │     └── ansi-regex@5.0.1 
      ├─┬ string-width@4.2.3
      │ └─┬ strip-ansi@6.0.1
      │   └── ansi-regex@5.0.1 
      └─┬ widest-line@3.1.0
        └─┬ string-width@4.2.3
          └─┬ strip-ansi@6.0.1
            └── ansi-regex@5.0.1 

Newest Version of chalk is 4.1.2, and has no dependency to has-ansi since at least 2.0.0
All other vulnerabilities should be fix with newer versions of webpack-dev-server and webpackbar.
All the libs denpending on ansi-regex are using a newer versions.

• Regarding glob-parent

VuePress@0.0.1 /home/.../VuePress/docs
└─┬ vuepress@1.8.2
  └─┬ @vuepress/core@1.8.2
    ├─┬ @vuepress/shared-utils@1.8.2
    │ └─┬ globby@9.2.0
    │   └─┬ fast-glob@2.2.7
    │     └── glob-parent@3.1.0  deduped
    ├─┬ chokidar@2.1.8
    │ └── glob-parent@3.1.0 
    ├─┬ copy-webpack-plugin@5.1.2
    │ └── glob-parent@3.1.0  deduped
    └─┬ webpack@4.46.0
      └─┬ watchpack@1.7.5
        └─┬ chokidar@3.5.2
          └── glob-parent@5.1.2 

Updating globby,chokidar,copy-webpack-plugin should fix it, libs denpending on glob-parent are using a newer versions.

[frudolph77]

With node v16.13.0 it's even worse:

$ npm install
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated mkdirp@0.3.0: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated svgo@1.3.2: This SVGO version is no longer supported. Upgrade to v2.x.x.

added 1248 packages, and audited 1249 packages in 27s

80 packages are looking for funding
  run `npm fund` for details

30 vulnerabilities (14 moderate, 16 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.


$ npm audit
# npm audit report

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/cliui/node_modules/ansi-regex
node_modules/wrap-ansi/node_modules/ansi-regex
node_modules/yargs/node_modules/ansi-regex
  strip-ansi  4.0.0 - 5.2.0
  Depends on vulnerable versions of ansi-regex
  node_modules/cliui/node_modules/strip-ansi
  node_modules/wrap-ansi/node_modules/strip-ansi
  node_modules/yargs/node_modules/strip-ansi
    cliui  4.0.0 - 5.0.0
    Depends on vulnerable versions of strip-ansi
    Depends on vulnerable versions of wrap-ansi
    node_modules/cliui
      yargs  10.1.0 - 15.0.0
      Depends on vulnerable versions of cliui
      Depends on vulnerable versions of string-width
      node_modules/yargs
        webpack-dev-server  2.0.0-beta - 3.11.3
        Depends on vulnerable versions of chokidar
        Depends on vulnerable versions of yargs
        node_modules/webpack-dev-server
    string-width  2.1.0 - 4.1.0
    Depends on vulnerable versions of strip-ansi
    node_modules/cliui/node_modules/string-width
    node_modules/wrap-ansi/node_modules/string-width
    node_modules/yargs/node_modules/string-width
      wrap-ansi  3.0.0 - 6.1.0
      Depends on vulnerable versions of string-width
      Depends on vulnerable versions of strip-ansi
      node_modules/wrap-ansi
        webpackbar  3.0.0-0 - 3.2.0
        Depends on vulnerable versions of wrap-ansi
        node_modules/webpackbar

glob-parent  <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install vuepress@0.14.11, which is a breaking change
node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/chokidar
    @vuepress/core  <=1.8.2
    Depends on vulnerable versions of chokidar
    node_modules/@vuepress/core
      vuepress  1.0.0-alpha.0 - 1.8.2
      Depends on vulnerable versions of @vuepress/core
      node_modules/vuepress
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack
        node_modules/webpack
    webpack-dev-server  2.0.0-beta - 3.11.3
    Depends on vulnerable versions of chokidar
    Depends on vulnerable versions of yargs
    node_modules/webpack-dev-server
  copy-webpack-plugin  5.0.1 - 5.1.2
  Depends on vulnerable versions of glob-parent
  node_modules/copy-webpack-plugin
  fast-glob  <=2.2.7
  Depends on vulnerable versions of glob-parent
  node_modules/fast-glob
    globby  8.0.0 - 9.2.0
    Depends on vulnerable versions of fast-glob
    node_modules/globby
      @vuepress/shared-utils  *
      Depends on vulnerable versions of globby
      node_modules/@vuepress/shared-utils
        @vuepress/markdown  <=1.8.2
        Depends on vulnerable versions of @vuepress/shared-utils
        node_modules/@vuepress/markdown
          @vuepress/markdown-loader  *
          Depends on vulnerable versions of @vuepress/markdown
          node_modules/@vuepress/markdown-loader
        @vuepress/plugin-register-components  <=1.8.2
        Depends on vulnerable versions of @vuepress/shared-utils
        node_modules/@vuepress/plugin-register-components
        vuepress-plugin-container  >=2.1.5
        Depends on vulnerable versions of @vuepress/shared-utils
        node_modules/vuepress-plugin-container

nth-check  <2.0.1
Severity: moderate
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix`
node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      postcss-svgo  4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
      Depends on vulnerable versions of svgo
      node_modules/postcss-svgo
        cssnano-preset-default  <=4.0.8
        Depends on vulnerable versions of postcss-svgo
        node_modules/cssnano-preset-default
          cssnano  4.0.0-nightly.2020.1.9 - 4.1.11
          Depends on vulnerable versions of cssnano-preset-default
          node_modules/cssnano
            optimize-css-assets-webpack-plugin  3.2.1 || 5.0.0 - 5.0.8
            Depends on vulnerable versions of cssnano
            node_modules/optimize-css-assets-webpack-plugin

30 vulnerabilities (14 moderate, 16 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Unfortunately npm audit fix wont fix anything because of an open issue @npm/cli

[MrWook]

I needed to dig deep to get the information that i wanted so here is what i found:
There is already a open Pull request #2690 since 2020
But they are all updated in the next major release https://github.com/vuepress/vuepress-next

[bn-l]

Just FYI this repo is deprecated and will continue to accrue security and dependency deprecation issues.

From the readme:

VuePress is now in maintenance mode. For a next-gen Vue-based SSG built on top of Vue 3 + Vite, check out VitePress.

It is frustrating that a google for vuepress goes to vuepress 1.x and there is no clear mention you are on a deprecated project. Almost like putting the gun in your hand, pointing it at your foot and saying "you should be more careful!"

This is "vuepress-next": https://v2.vuepress.vuejs.org/