webpack-dev-server: Missing Origin Validation during npm install
- Operating System: Windows 10
- Node Version: v11.1.0
- NPM Version: 6.4.1
- webpack Version: 3.12.0
- webpack-dev-server Version: 3.1.10
- This is a bug
- This is a modification request
Code
N/A
Expected Behavior
npm install finishes without error
Actual Behavior
npm WARN deprecated browserslist@2.11.3: Browserslist 2 could fail on reading Browserslist >3.0 config used in other tools.
npm WARN deprecated browserslist@1.7.7: Browserslist 2 could fail on reading Browserslist >3.0 config used in other tools.
> node-sass@4.10.0 install C:\xampp\htdocs\laravue\node_modules\node-sass
> node scripts/install.js
Cached binary found at C:\Users\User\AppData\Roaming\npm-cache\node-sass\4.10.0\win32-x64-67_binding.node
> uglifyjs-webpack-plugin@0.4.6 postinstall C:\xampp\htdocs\laravue\node_modules\webpack\node_modules\uglifyjs-webpack-plugin
> node lib/post_install.js
> node-sass@4.10.0 postinstall C:\xampp\htdocs\laravue\node_modules\node-sass
> node scripts/build.js
Binary found at C:\xampp\htdocs\laravue\node_modules\node-sass\vendor\win32-x64-67\binding.node
Testing binary
Binary is fine
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN img-loader@3.0.1 requires a peer of imagemin@^5.0.0 || ^6.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN ajv-keywords@3.2.0 requires a peer of ajv@^6.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.4 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.4: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
added 1189 packages from 698 contributors and audited 11710 packages in 196.717s
found 1 high severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
For Bugs; How can we reproduce the behavior?
On Windows environment, launch cmd and run the following commands ::
composer create-project --prefer-dist laravel/laravel laravel
And then run
npm install
For Features; What is the motivation and/or use-case for the feature?
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 5
- Comments: 47 (2 by maintainers)
I’m getting this directly when just installing webpack-dev-server. I create a new folder, run
npm initthennpm install webpack-dev-server --saveand i get:when i run
npm auditWhat’s interesting is that the link
https://nodesecurity.io/advisories/725informs me that this is regarding version 3.1.6 and earlier, but the latest i 3.1.14 right? is NPM maybe interpreting3.1.1*as lower that3.1.6?npm install laravel-mix@betafixes the problemSame here.
I’m also getting the same issues. Althought I was update
webpack-dev-server@3.1.14. But I can’t runnpm run dev.TypeError: Cannot destructure propertycompileof 'undefined' or 'null'.This was due to a typo in the vulnerability database apparently: https://npm.community/t/advisory-725-inconsistently-marks-affected-versions/4333/3
Seeing the same. This issue hasn’t been fixed yet.
Any chance the security fix will get backported to
webpack-dev-server@2.x.x? We’re still onreact-scripts@1.x.xyet which relies on this version range. Thanks for your consideration.If you run ‘npm install’ on Node v8.12.0, the following error appears. (npm v6.4.1)
‘npm install’ on Node v6.14.4 does not output an error. (npm v3.10.10)
Issue still persist. Using fresh copy of create-react-app on Mac OS High sierra
As am I, latest CRA is using
webpack-dev-server@3.1.9so I notified them in the existing issue that was opened https://github.com/facebook/create-react-app/issues/5777#issuecomment-450684848I can confirm. I’m using create-react-app.