webpack-dev-server vulnerability

[szysza]

Hello,

As the first thing I want to say thank you for doing such a great job with webpacker!

2 days ago we've got the following vulnerability notification https://nvd.nist.gov/vuln/detail/CVE-2018-14732. To actually fix it we need to update the version of webpack-dev-server to at least 3.1.11. I've tried to update it to that version, but it's currently not possible due to the following error when starting the dev server:

module.js:549
    throw err;
    ^

Error: Cannot find module 'webpack'
    at Function.Module._resolveFilename (module.js:547:15)
    at Function.Module._load (module.js:474:25)
    at Module.require (module.js:596:17)
    at require (internal/module.js:11:18)
    at Object.<anonymous> (/node_modules/webpack-dev-server/bin/webpack-dev-server.js:26:17)
    at Module._compile (module.js:652:30)
    at Object.Module._extensions..js (module.js:663:10)
    at Module.load (module.js:565:32)
    at tryModuleLoad (module.js:505:12)
    at Function.Module._load (module.js:497:3)

We use the dev server only locally, so it's not a big problem for us. Never the less it would be great to fix the issue.

[stefanvermaas]

I think this can only be fixed by upgrading to the latest (4.0.x) version of Webpacker (which is still in beta), because the suggested fix (upgrade webpack-dev-server to ^3.1.11) is not possible because webpack-dev-server depends on webpack > 4.0.

Might be useful to ask the webpack team to also release a 2.x.x fix.

PS: The first part of the fix would be to add webpack-cli to your package.json.

[szysza]

@stefanvermaas Thanks for the response. Yes, I've tried to use the release candidate version, but since it's a rc it's not stable. I suppose that it's highly unlikely that the webpack team will release another fix for the 2.x.x, because it might be possible that the problem isn't that easy to fix in the old version of webpack.

I thing that the most reasonable thing to do is to wait, but at the same time wanted to make sure that the issue is known.

[stefanvermaas]

I agree. Getting Webpacker ready for version 4.0 is the only actual thing that would fix the problem.

I see that the Webpack team already answered the question; they won't make a patch for 2.x.x because 2.x.x is deprecated. webpack/webpack-dev-server#1603 (comment)

[ale7714]

@stefanvermaas is there an ETA for when 4.0 would be release? thank you!

[Yanchek99]

Any timeframe on when this will be patched? Vulnerability was published 09/21/2018, it seems unacceptable to leave a security hole around for this long?

[turgs]

I agree, it needs to be patch, bit isn't the risk profile super low?

The vulnerability is in the webpack-dev-server isn't it... so it's only a risk in Dev environments, not Production?

[stefanvermaas]

@ale7714 I'm not sure. Maybe @gauravtiwari can shine some light on this? He's working very hard on making 4.0 possible. There is already an third release candidate; https://www.npmjs.com/package/@rails/webpacker/v/4.0.0-rc.3

@Yanchek99: A patch is not possible, because webpack-dev-server won't bring out a patch for version 2.x.x on which @rails/webpacker 3.x.x depends on. Only way to fix this is to use the last release candidate.

[Yanchek99]

@stefanvermaas Understood, thanks for the reply. Wish Github would disregard this vulnerability, the warning there makes it seem more severe than it is.

[louim]

@Yanchek99 you can dismiss specific vulnerabilities in your project by going to that specific vulnerability and choosing a reason for the dismissal:

[jrochkind]

I see that the Webpack team already answered the question; they won't make a patch for 2.x.x because 2.x.x is deprecated. webpack/webpack-dev-server#1603 (comment)

Note that the latest non-beta release of Rails, 5.2.2, will currently create a package.json with:

"devDependencies": {
  "webpack-dev-server": "2.11.2"
}

When asked to initialize a new app with rails new appname --webpack.

So Rails is installing a deprecated version? This seems odd. It also seems odd to me that it's creating a package.json with a hard-coded locked "2.11.2", rather than "~2.11.2" or "^2.11.2", so no upgrades with yarn upgrade are possible without a manual edit of package.json.

What I understand from this ticket is not only is the current release of Rails creating app skeletons with rails new that use a version of webpack-dev-server with a CVE -- but there is in fact no supported way to manually use any version of webpack-dev-server that doesn't have a CVE with rails either?

This seems to me like an urgent matter, no? Should Rails stop installing or recommending the use of webpack-dev-server at all until there is a way to use a version that does not have a CVE? I do not expect "omakase" to mean serving me a poisoned meal!

[guillaumebriday]

Can this issue be closed ?

[szysza]

@guillaumebriday according to nixsolutions/thank-you#35 it can be closed. Thanks.