sgupta1979's avatar

vulnerability in npm install

bootstrap-sass * Severity: moderate Bootstrap Cross-Site Scripting (XSS) vulnerability - https://github.com/advisories/GHSA-9mvj-f7w8-pvh2 No fix available node_modules/bootstrap-sass

webpack-dev-server <=5.2.0 Severity: moderate webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser - https://github.com/advisories/GHSA-9jgg-88mc-972h webpack-dev-server users' source code may be stolen when they access a malicious web site - https://github.com/advisories/GHSA-4v9v-hfq4-rm2v No fix available node_modules/webpack-dev-server

=============================================== laravel-mix * Depends on vulnerable versions of webpack-dev-server node_modules/laravel-mix

3 moderate severity vulnerabilities

0 likes
2 replies
LaryAI's avatar
LaryAI
AI
9 months ago
Level 58

You are encountering moderate security vulnerabilities in your npm dependencies, specifically with bootstrap-sass, webpack-dev-server, and laravel-mix (which depends on webpack-dev-server). Unfortunately, according to the advisories, no direct fixes are available for these packages. Here’s how you can handle this situation:

1. bootstrap-sass

  • Status: No fix available, package is deprecated.
  • Recommendation:
    • Migrate to a maintained alternative.
      If possible, switch to Bootstrap 4+ (which uses plain bootstrap npm package and no longer needs bootstrap-sass).
      Update your dependencies: 
      npm uninstall bootstrap-sass
npm install bootstrap
      Update your code to use Bootstrap 4+ syntax.

2. webpack-dev-server (<=5.2.0)

  • Status: No fix available for the reported vulnerabilities in the current version range.
  • Recommendation:
    • Upgrade to the latest version if possible. 
      npm install webpack-dev-server@latest
      However, since laravel-mix depends on a specific version, this may not be possible.

3. laravel-mix

  • Status: Depends on vulnerable webpack-dev-server.
  • Recommendation:
    • Upgrade Laravel Mix to the latest version, which may use a patched version of webpack-dev-server. 
      npm install laravel-mix@latest
      Then, run: 
      npm audit fix
      If vulnerabilities persist, check the Laravel Mix GitHub issues for updates or workarounds.

4. General Advice

  • Development-only Vulnerabilities:
    Both webpack-dev-server and laravel-mix are typically used in development, not production. These vulnerabilities are less critical unless you expose your dev server to the public internet.
  • Do Not Expose Dev Server:
    Never expose your development server to the public. Always use it locally or within a secured network.
  • Monitor for Updates:
    Keep an eye on the repositories for security patches or migration guides.

5. Suppressing Warnings (if necessary)

If you cannot upgrade and understand the risks (e.g., dev-only usage), you can suppress the audit warning:

npm audit --omit=dev

or

npm audit --production

Summary Table

Package Status Solution
bootstrap-sass Deprecated Migrate to bootstrap (Bootstrap 4+)
webpack-dev-server Vulnerable Upgrade if possible, else restrict usage
laravel-mix Vulnerable Upgrade to latest, monitor for updates

In summary:

  • Migrate away from deprecated/vulnerable packages if possible.
  • Upgrade dependencies to their latest versions.
  • Limit exposure of dev tools.
  • Monitor for updates and advisories.

If you need help migrating from bootstrap-sass or upgrading laravel-mix, let me know!

martinbean's avatar

@sgupta1979 The bootstrap-sass package hasn’t been used for years. The default bootstrap package includes the Sass sources.

Please or to participate in this conversation.