diff options
author | Gunnar Mills <gmills@us.ibm.com> | 2019-01-08 15:14:11 -0600 |
---|---|---|
committer | Gunnar Mills <gmills@us.ibm.com> | 2019-01-08 15:42:25 -0600 |
commit | 295132260f9cea7fbf84595c0e9884048ad66e34 (patch) | |
tree | ea8cf0c8c7ae39e6539960270dbdfb4a86e13a37 /package.json | |
parent | 0a2cbd67103a4750e9262802d138fd64e4c265d2 (diff) | |
download | phosphor-webui-295132260f9cea7fbf84595c0e9884048ad66e34.tar.gz phosphor-webui-295132260f9cea7fbf84595c0e9884048ad66e34.zip |
Address webpack-dev-server security vulnerability
Although we only use webpack-dev-server for development and
this isn't a security vulnerability for us, still going to fix.
From GitHub:
"We found a potential security vulnerability in one of your
dependencies.
Remediation
Upgrade webpack-dev-server to version 3.1.11 or later."
"An issue was discovered in lib/Server.js in webpack-dev-server
before 3.1.11. Attackers are able to steal developer's code because
the origin of requests is not checked by the WebSocket server,
which is used for HMR (Hot Module Replacement). Anyone can receive
the HMR message sent by the WebSocket server via a
ws://127.0.0.1:8080/ connection from any origin."
More information can be found at:
https://nvd.nist.gov/vuln/detail/CVE-2018-14732
Edited webpack-dev-server in package.json to be 3.1.11 then
did a npm install to create the package-lock.json.
Tested: Launched the dev server and pointed it at a Witherspoon.
Change-Id: Id6615ce387db8c6e1d2b64ff1e059db9167e11d0
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
Diffstat (limited to 'package.json')
-rw-r--r-- | package.json | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/package.json b/package.json index c4ed8e5..acc9b39 100644 --- a/package.json +++ b/package.json @@ -73,7 +73,7 @@ "uglifyjs-webpack-plugin": "^1.3.0", "webpack": "^4.17.2", "webpack-cli": "^3.1.0", - "webpack-dev-server": "^3.1.7" + "webpack-dev-server": "^3.1.11" }, "license": "MIT", "engines": { |