npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

Advisory #725 inconsistently marks affected versions

Advisory #725 states that remediation is upgrading to 3.1.6.

npm audit output states that it is patched in >=3.1.11

And the advisory versions list all versions, including the latest 3.1.14, as affected. npm audit fails 3.1.14 as well.

This is a haphazard way to report security vulns.

It says same for me

                   === npm audit security report ===                        
                             Manual Review                                  
         Some vulnerabilities require your attention to resolve             
      Visit for additional guidance           

High Missing Origin Validation

Package webpack-dev-server

Patched in >=3.1.11

Dependency of webpack-dev-server [dev]

Path webpack-dev-server

More info

found 1 high severity vulnerability in 60688 scanned packages

Any update?
We have red vulnerabilities check pipelines because of this issue.

See here

This appears to be a typo in the npm vulnerability database. Someone has typed "vulnerable_versions":"<=3.110" (rather than <=3.1.10) which is marking all versions as vulnerable. Needs to be fixed upstream by the npm audit team.

Output of yarn audit --json:

{"type":"auditAdvisory","data":{"resolution":{"id":725,"path":"webpack-dev-server","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"3.1.14","paths":["webpack-dev-server"],"dev":false,"optional":false,"bundled":false}],"id":725,"created":"2018-11-07T17:10:22.191Z","updated":"2018-12-31T18:58:12.106Z","deleted":null,"title":"Missing Origin Validation","found_by":{"link":"","name":"Jiantao Li"},"reported_by":{"link":"","name":"Jiantao Li"},"module_name":"webpack-dev-server","cves":["CVE-2018-14732"],"vulnerable_versions":"<=3.110","patched_versions":">=3.1.11","overview":"Versions of `webpack-dev-server` before 3.1.6 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.","recommendation":"Update to version 3.1.6 or later.","references":"- [Sniffing Codes in Hot Module Reloading Messages\n](\n- [GitHub commit](","access":"public","severity":"high","cwe":"CWE-346","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":""}}}

Just to share the news in this thread too, looks like the typo issue has now been resolved: Npm audit sweems to get semver wrong?

Indeed; it appears to be fixed. Npm audit sweems to get semver wrong?

9h response time for “bug”.
24hr+ response time for “support”.

Good to know.

This is expected, quoting the category description:

Got it. #bugs is for npm support. #support is for npm community.

well, #bugs for actual, actionable, well-described bugs. #support for questions that the community can answer for you :slight_smile: If you want more support from npm itself, is available and reaches our support department, which doesn’t currently participate in