Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update dependency vue to v3 [security] #370

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 25, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
vue (source) 2.7.16 -> 3.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-9506

The ReDoS can be exploited through the parseHTML function in the html-parser.ts file. This flaw allows attackers to slow down the application by providing specially crafted input that causes inefficient processing of regular expressions, leading to excessive resource consumption.

To demonstrate this vulnerability, here's an example. In a Vue client-side application, create a new Vue instance with a template string that includes a <script> tag but closes it incorrectly with something like </textarea>.

new Vue({
  el: '#app',
  template: '
    <div>
      Hello, world!
      <script>${'<'.repeat(1000000)}</textarea>
    </div>'
});

Next, set up a basic HTML page (e.g., index.html) to load this JavaScript and mount the Vue instance:

<!DOCTYPE html>
<html>
<head>
  <title>My first Vue app</title>
</head>
<body>
  <div id=\"app\">Loading...</div>
</body>
</html>

When you visit the app in your browser at http://localhost:3000, you'll notice that the time taken to parse and mount the Vue application increases significantly due to the ReDoS vulnerability, demonstrating how the flaw can affect performance.


Release Notes

vuejs/core (vue)

v3.0.0: One Piece

Today we are proud to announce the official release of Vue.js 3.0 "One Piece". This new major version of the framework provides improved performance, smaller bundle sizes, better TypeScript integration, new APIs for tackling large scale use cases, and a solid foundation for long-term future iterations of the framework.

The 3.0 release represents over 2 years of development efforts, featuring 30+ RFCs, 2,600+ commits, 628 pull requests from 99 contributors, plus tremendous amount of development and documentation work outside of the core repo. We would like to express our deepest gratitude towards our team members for taking on this challenge, our contributors for the pull requests, our sponsors and backers for the financial support, and the wider community for participating in our design discussions and providing feedback for the pre-release versions. Vue is an independent project created for the community and sustained by the community, and Vue 3.0 wouldn't have been possible without your consistent support.

Taking the "Progressive Framework" Concept Further

Vue had a simple mission from its humble beginning: to be an approachable framework that anyone can quickly learn. As our user base grew, the framework also grew in scope to adapt to the increasing demands. Over time, it evolved into what we call a "Progressive Framework": a framework that can be learned and adopted incrementally, while providing continued support as the user tackles more and more demanding scenarios.

Today, with over 1.3 million users worldwide*, we are seeing Vue being used in a wildly diverse range of scenarios, from sprinkling interactivity on traditional server-rendered pages, to full-blown single page applications with hundreds of components. Vue 3 takes this flexibility even further.

Layered internal modules

Vue 3.0 core can still be used via a simple <script> tag, but its internals has been re-written from the ground up into a collection of decoupled modules. The new architecture provides better maintainability, and allows end users to shave off up to half of the runtime size via tree-shaking.

These modules also exposes lower-level APIs that unlocks many advanced use cases:

  • The compiler supports custom AST transforms for build-time customizations (e.g. build-time i18n)
  • The core runtime provides first-class API for creating custom renderers targeting different render targets (e.g. native mobile, WebGL or terminals). The default DOM renderer is built using the same API.
  • The @vue/reactivity module exports functions that provide direct access to Vue's reactivity system, and can be used as a standalone package. It can be used to pair with other templating solutions (e.g. lit-html) or even in non-UI scenarios.
New APIs for tackling scale

The 2.x Object-based API is largely intact in Vue 3. However, 3.0 also introduces the Composition API - a new set of APIs aimed at addressing the pain points of Vue usage in large scale applications. The Composition API builds on top of the reactivity API and enables logic composition and reuse similar to React hooks, more flexible code organization patterns, and more reliable type inference than the 2.x Object-based API.

Composition API can also be used with Vue 2.x via the @​vue/composition-api plugin, and there are already Composition API utility libraries that work for both Vue 2 and 3 (e.g. vueuse, vue-composable).

Performance Improvements

Vue 3 has demonstrated significant performance improvements over Vue 2 in terms of bundle size (up to 41% lighter with tree-shaking), initial render (up to 55% faster), updates (up to 133% faster), and memory usage (up to 54% less).

In Vue 3, we have taken the approach of "compiler-informed Virtual DOM": the template compiler performs aggressive optimizations and generates render function code that hoists static content, leaves runtime hints for binding types, and most importantly, flattens the dynamic nodes inside a template to reduce the cost of runtime traversal. The user therefore gets the best of both worlds: compiler-optimized performance from templates, or direct control via manual render functions when the use case demands.

Improved TypeScript integration

Vue 3's codebase is written in TypeScript, with automatically generated, tested, and bundled type definitions so they are always up-to-date. Composition API works great with type inference. Vetur, our official VSCode extension, now supports template expression and props type checking leveraging Vue 3's improved internal typing. Oh, and Vue 3's typing fully supports TSX if that's your preference.

Experimental Features

We have proposed two new features for Singe-File Components (SFC, aka .vue files):

These features are already implemented and available in Vue 3.0, but are provided only for the purpose of gathering feedback. They will remain experimental until the RFCs are merged.

We have also implemented a currently undocumented <Suspense> component, which allows waiting on nested async dependencies (async components or component with async setup()) on initial render or branch switch. We are testing and iterating on this feature with the Nuxt.js team (Nuxt 3 is on the way) and will likely solidify it in 3.1.

Phased Release Process

The release of Vue 3.0 marks the general readiness of the framework. While some of the frameworks sub projects may still need further work to reach stable status (specifically router and Vuex integration in the devtools), we believe it's suitable to start new, green-field projects with Vue 3 today. We also encourage library authors to start upgrading your projects to support Vue 3.

Check out the Vue 3 Libraries Guide for details on all framework sub projects.

Migration and IE11 Support

We have pushed back the migration build (v3 build with v2 compatible behavior + migration warnings) and the IE11 build due to time constraints, and are aiming to focus on them in Q4 2020. Therefore, users planning to migrate an existing v2 app or require IE11 support should be aware of these limitations at this time.

Next Steps

For the near term after release, we will focus on:

  • Migration build
  • IE11 support
  • Router and Vuex integration in new devtools
  • Further improvements to template type inference in Vetur

For the time being, the documentation websites, GitHub branches, and npm dist tags for Vue 3 and v3-targeting projects will remain under next-denoted status. This means npm install vue will still install Vue 2.x and npm install vue@next will install Vue 3. We are planning to switch all doc links, branches and dist tags to default to 3.0 by end of 2020.

At the same time, we have started planning for 2.7, which will be the last planned minor release of the 2.x release line. 2.7 will be backporting compatible improvements from v3, and emit warnings on usage of APIs that are removed/changed in v3 to help with potential migration. We are planning to work on 2.7 in Q1 2021, which will directly become LTS upon release with an 18 months maintenance lifespan.

Trying It Out

To learn more about Vue 3.0, check out our new documentation website. If you are an existing Vue 2.x user, go directly to the Migration Guide.



Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Copy link
Contributor Author

renovate bot commented Oct 25, 2024

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: src/list/package-lock.json
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: @vue/vue2-jest@29.2.2
npm error Found: vue@3.0.0
npm error node_modules/vue
npm error   peer vue@"^2.6.0 || >=3.0.0-rc.0" from @dsb-norge/vue-keycloak-js@2.4.0
npm error   node_modules/@dsb-norge/vue-keycloak-js
npm error     @dsb-norge/vue-keycloak-js@"2.4.0" from list@0.0.0
npm error     frontend
npm error       list@0.0.0
npm error       node_modules/list
npm error         workspace frontend from the root project
npm error   peerOptional vue@"*" from @vue/babel-preset-jsx@1.4.0
npm error   node_modules/@vue/babel-preset-jsx
npm error     @vue/babel-preset-jsx@"^1.1.2" from @vue/babel-preset-app@5.0.8
npm error     node_modules/@vue/babel-preset-app
npm error       @vue/babel-preset-app@"^5.0.8" from @vue/cli-plugin-babel@5.0.8
npm error       node_modules/@vue/cli-plugin-babel
npm error         dev @vue/cli-plugin-babel@"5.0.8" from list@0.0.0
npm error         frontend
npm error   1 more (list)
npm error
npm error Could not resolve dependency:
npm error peer vue@"^2.x" from @vue/vue2-jest@29.2.2
npm error frontend/node_modules/@vue/vue2-jest
npm error   dev @vue/vue2-jest@"29.2.2" from list@0.0.0
npm error   frontend
npm error     list@0.0.0
npm error     node_modules/list
npm error       workspace frontend from the root project
npm error
npm error Conflicting peer dependency: vue@2.7.16
npm error node_modules/vue
npm error   peer vue@"^2.x" from @vue/vue2-jest@29.2.2
npm error   frontend/node_modules/@vue/vue2-jest
npm error     dev @vue/vue2-jest@"29.2.2" from list@0.0.0
npm error     frontend
npm error       list@0.0.0
npm error       node_modules/list
npm error         workspace frontend from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /tmp/renovate/cache/others/npm/_logs/2024-12-01T13_05_37_392Z-eresolve-report.txt
npm error A complete log of this run can be found in: /tmp/renovate/cache/others/npm/_logs/2024-12-01T13_05_37_392Z-debug-0.log

Copy link

github-actions bot commented Oct 25, 2024

🦙 MegaLinter status: ❌ ERROR

Descriptor Linter Files Fixed Errors Elapsed time
✅ ACTION actionlint 18 0 0.19s
✅ BASH bash-exec 5 0 0.03s
✅ BASH shellcheck 2 0 0.14s
⚠️ BASH shfmt 5 1 0.01s
⚠️ CSHARP csharpier 1 1 1.25s
⚠️ CSHARP dotnet-format yes 1 0.94s
✅ CSHARP roslynator 1 0 18.21s
✅ CSS stylelint 1 0 1.71s
✅ DOCKERFILE hadolint 4 0 0.39s
✅ EDITORCONFIG editorconfig-checker 379 0 4.19s
✅ ENV dotenv-linter 1 0 0.0s
✅ GROOVY npm-groovy-lint 7 0 14.35s
✅ HTML djlint 2 0 1.77s
✅ HTML htmlhint 2 0 0.51s
✅ JAVA checkstyle 59 0 7.16s
✅ JSON jsonlint 31 0 0.25s
⚠️ JSON prettier 31 1 4.85s
✅ JSON v8r 31 0 84.59s
⚠️ MARKDOWN markdownlint 22 190 1.73s
✅ PYTHON bandit 1 0 1.21s
✅ PYTHON black 1 0 0.68s
✅ PYTHON flake8 1 0 0.53s
✅ PYTHON isort 1 0 0.35s
✅ PYTHON mypy 1 0 7.53s
✅ PYTHON ruff 1 0 0.03s
✅ REPOSITORY checkov yes no 21.71s
✅ REPOSITORY gitleaks yes no 2.11s
✅ REPOSITORY git_diff yes no 0.14s
✅ REPOSITORY kics yes no 57.91s
✅ REPOSITORY secretlint yes no 2.28s
✅ REPOSITORY syft yes no 3.44s
❌ REPOSITORY trivy yes 1 22.93s
✅ REPOSITORY trivy-sbom yes no 1.82s
✅ REPOSITORY trufflehog yes no 6.31s
✅ XML xmllint 3 0 0.01s
✅ YAML prettier 111 0 2.36s

See detailed report in MegaLinter reports

You could have same capabilities but better runtime performances if you request a new MegaLinter flavor.

MegaLinter is graciously provided by OX Security

@renovate renovate bot force-pushed the renovate/npm-vue-vulnerability branch from c551927 to f91d837 Compare December 1, 2024 11:00
@renovate renovate bot force-pushed the renovate/npm-vue-vulnerability branch from f91d837 to 7ca0212 Compare December 1, 2024 13:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants