Update dependency for ws package #17361

Korulag · 2024-07-09T16:32:59Z

What happened?

There is a security issue in ws package that is already fixed, but requires newer version of the package. However, quasar/app-webpack has strict dependency to now vulnerable version, which results the following error when trying to create an update PR via dependabot in GitHub:


@quasar/[email protected] requires ws@^7.3.1 via [email protected]
No patched version available for ws
The earliest fixed version is 8.17.1.

What did you expect to happen?

quasar/app-webpack should have updated ws as a dependency instead of vulnerable version

Reproduction URL

https://github.com/AlmaLinux/albs-frontend/security/dependabot/58

How to reproduce?

Package should have dependency to quasar/app-webpack in its dependencies;
Try to fix security issue via GitHub dependabot

Flavour

Quasar CLI with Webpack (@quasar/cli | @quasar/app-webpack)

Areas

Quasar CLI Commands/Configuration (@quasar/cli | @quasar/app-webpack | @quasar/app-vite)

Platforms/Browsers

No response

Quasar info output

$ node_modules/.bin/quasar info

Operating System - Linux(6.9.7-100.fc39.x86_64) - linux/x64
NodeJs - 16.20.2

Global packages
  NPM - 8.19.4
  yarn - Not installed
  @quasar/cli - undefined
  @quasar/icongenie - Not installed
  cordova - Not installed

Important local packages
  quasar - 2.15.4 -- Build high-performance VueJS user interfaces (SPA, PWA, SSR, Mobile and Desktop) in record time
  @quasar/app-webpack - 3.12.8 -- Quasar Framework App CLI with Webpack
  @quasar/extras - 1.16.11 -- Quasar Framework fonts, icons and animations
  eslint-plugin-quasar - Not installed
  vue - 3.4.21 -- The progressive JavaScript framework for building modern web UI.
  vue-router - 4.3.0
  pinia - Not installed
  vuex - 4.1.0 -- state management for Vue.js
  electron - Not installed
  electron-packager - Not installed
  @electron/packager - Not installed
  electron-builder - Not installed
  @babel/core - 7.22.9 -- Babel compiler core.
  webpack - 5.91.0 -- Packs ECMAScript/CommonJs/AMD modules for the browser. Allows you to split your codebase into multiple bundles, which can be loaded on demand. Supports loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.
  webpack-dev-server - Not installed
  workbox-webpack-plugin - Not installed
  register-service-worker - 1.7.2 -- Script for registering service worker, with hooks
  typescript - 4.5.5 -- TypeScript is a language for application scale JavaScript development
  @capacitor/core - Not installed
  @capacitor/cli - Not installed
  @capacitor/android - Not installed
  @capacitor/ios - Not installed

Quasar App Extensions
  *None installed*

Relevant log output

No response

Additional context

No response

The text was updated successfully, but these errors were encountered:

Korulag added kind/bug 🐞 Qv2 🔝 Quasar v2 issues labels Jul 9, 2024

github-actions bot added area/cli bug/1-hard-to-reproduce A reproduction is available, but it's hard to reproduce, so it has a lower priority. bug/1-repro-available A reproduction is available and needs to be confirmed. flavour/quasar-cli-webpack labels Jul 9, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency for ws package #17361

Update dependency for ws package #17361

Korulag commented Jul 9, 2024 •

edited by yusufkandemir

Loading

Update dependency for ws package #17361

Update dependency for ws package #17361

Comments

Korulag commented Jul 9, 2024 • edited by yusufkandemir Loading

What happened?

What did you expect to happen?

Reproduction URL

How to reproduce?

Flavour

Areas

Platforms/Browsers

Quasar info output

Relevant log output

Additional context

Korulag commented Jul 9, 2024 •

edited by yusufkandemir

Loading