I just tried creating a new project with @vue/cli 4.3.1, fresh install of Ubuntu 19.10, npm 6.14.4. When I cd into the project and run npm install, I get the following:
found 1 high severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
Running npm audit fix produces
fixed 0 of 1 vulnerability in 1285 scanned packages
1 vulnerability required manual review and could not be updated
Upon running npm audit, I get
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ http-proxy │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ No patch available │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @vue/cli-service [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @vue/cli-service > webpack-dev-server > │
│ │ http-proxy-middleware > http-proxy │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1486 │
└───────────────┴──────────────────────────────────────────────────────────────┘
Is this expected? Normal? Possible to fix? It worries me that this happens with such a clean environment where nothing malicious was installed, but then I'm also not an npm expert... What should I do here?
I was setting up a new Vue project and got the same issue. I was able to find a post on Github Vue/Vue-cli where they address the issue:
https://github.com/vuejs/vue-cli/issues/5489#issuecomment-629326414
That post says they are tracking the issue, but as a note:
Note: as it's only used for the local development server, it's not an actual security vulnerability on Vue CLI projects. Feel free to ignore it if @vue/cli-service is the only source of this dependency in your project.
So, I have gone ahead and ignored it for the time being. I hope that when they update the NPM package, it will use an updated http-proxy, which addresses the issue.
According to the tracker itself, it says it is fixed in http-proxy version 1.18.1.