Missing Origin Validation during npm install

[tpw1314]

• Operating System: Windows 10
• Node Version: v11.1.0
• NPM Version: 6.4.1
• webpack Version: 3.12.0
• webpack-dev-server Version: 3.1.10

• This is a bug
• This is a modification request

Code

N/A

Expected Behavior

npm install finishes without error

Actual Behavior

npm WARN deprecated [email protected]: Browserslist 2 could fail on reading Browserslist >3.0 config used in other tools.
npm WARN deprecated [email protected]: Browserslist 2 could fail on reading Browserslist >3.0 config used in other tools.

> [email protected] install C:\xampp\htdocs\laravue\node_modules\node-sass
> node scripts/install.js

Cached binary found at C:\Users\User\AppData\Roaming\npm-cache\node-sass\4.10.0\win32-x64-67_binding.node

> [email protected] postinstall C:\xampp\htdocs\laravue\node_modules\webpack\node_modules\uglifyjs-webpack-plugin
> node lib/post_install.js


> [email protected] postinstall C:\xampp\htdocs\laravue\node_modules\node-sass
> node scripts/build.js

Binary found at C:\xampp\htdocs\laravue\node_modules\node-sass\vendor\win32-x64-67\binding.node
Testing binary
Binary is fine
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN [email protected] requires a peer of imagemin@^5.0.0 || ^6.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN [email protected] requires a peer of ajv@^6.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: [email protected] (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for [email protected]: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

added 1189 packages from 698 contributors and audited 11710 packages in 196.717s
found 1 high severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

For Bugs; How can we reproduce the behavior?

On Windows environment, launch cmd and run the following commands ::

composer create-project --prefer-dist laravel/laravel laravel

And then run

npm install

For Features; What is the motivation and/or use-case for the feature?

[tpw1314]

I remember the first time I installed laravel via composer + npm install, there was not a problem at all. However, I had to re-install a fresh laravel project so I ended up just 'Right click' and delete the project folder.
After few busy weeks I now decided to have fresh laravel project and then run npm install and boom.

[Baspa]

I also get this error. Even when I make a new project and then use npm install I get the following message:

audited 11772 packages in 15.252s
found 1 high severity vulnerability
run npm audit fix to fix them, or npm audit for details

Whenever I use the npm audit command I get this message:

Manual Review
Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance

High Missing Origin Validation

Package webpack-dev-server

Patched in >=3.1.6

Dependency of laravel-mix [dev]

Path laravel-mix > webpack-dev-server

More info https://nodesecurity.io/advisories/725

Anyone any ideas on how to fix this?

[alexander-akait]

Please this create issue in laravel-mix. you use old webpack-dev-server version in laravel-mix

[tanx]

Any chance the security fix will get backported to [email protected]? We're still on [email protected] yet which relies on this version range. Thanks for your consideration.

=== npm audit security report ===                        
                                                                                
# Run  npm install [email protected]  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Missing Origin Validation                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ webpack-dev-server                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts > webpack-dev-server                           │
├───────────────┼─���────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/725                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

[alexander-akait]

@tanx webpack-dev-server@2 is deprecated and not updated anymore due a lot of bugs and security problems, sorry

[tpw1314]

For all of you, this issue appears to be solved by this #1815

[tanx]

Not in [email protected] unfortunately though.

[tpw1314]

Please refer to this issue. Apparently it is not fixed yet.

[connecteev]

Seeing the same. This issue hasn't been fixed yet.

[JhumanJ]

Same here.

[Download]

Same here. Not using laravel-mix AFAIK

[proliuk]

=== npm audit security report ===

                             Manual Review
         Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance

 High            Missing Origin Validation

  Package         webpack-dev-server

  Patched in      >=3.1.6

  Dependency of   laravel-mix [dev]

  Path            laravel-mix > webpack-dev-server

  More info       https://nodesecurity.io/advisories/725

found 1 high severity vulnerability in 15147 scanned packages
  1 vulnerability requires manual review. See the full report for details.

Already, what we can do with this vulnerabilities? Do it works in a local server?

[rymartin767]

Still not resolved as of this evening. Fresh laravel install on Amazon AMI still shows report. Working locally but I haven't tried to deploy.

[SharakPL]

npm install laravel-mix@beta fixes the problem

[enbermudas]

@SharakPL options actually fixes the problem. Thanks a lot!

[jeffegiovani]

@SharakPL thats work fine for me, tnks!

[NaturalDevCR]

npm install laravel-mix@beta fixes the problem

i did this and worked, but i have some kind of issue with babel-core now, guess it's a separated issue

[tpw1314]

Anyone manage to run npm install laravel-mix without hitting any error even after a month ?

[deepeshmadkar]

yes i am also getting the same issues.

[vldmrkl]

I can confirm. I'm using create-react-app.

[ealexhaywood]

As am I, latest CRA is using [email protected] so I notified them in the existing issue that was opened facebook/create-react-app#5777 (comment)

[amitozdeol]

Issue still persist. Using fresh copy of create-react-app on Mac OS High sierra

[dvvdev]

Issue is occuring with vue/cli-service

[armingjazi]

having the same issue with creat-react-app! can somebody clarify why this is closed?! The react issue links to here and is closed as well

[ealexhaywood]

Everyone who is using create react app should post here facebook/create-react-app#5777. Webpack has already said they are not back porting fixes. Tell create-react-app to update their webpack dev server version.

[simPod]

The problem started around this midnight I suppose

And it seems like it is wrongly listed here https://www.npmjs.com/advisories/725/versions as it says version 3.1.6+ is fine but is listed as affected as well.

[millenjo]

I'm getting this directly when just installing webpack-dev-server. I create a new folder, run npm init then npm install webpack-dev-server --save and i get:

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Missing Origin Validation                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ webpack-dev-server                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.11                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ webpack-dev-server                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ webpack-dev-server                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/725                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 3441 scanned packages
  1 vulnerability requires manual review. See the full report for details.

when i run npm audit

What's interesting is that the link https://nodesecurity.io/advisories/725 informs me that this is regarding version 3.1.6 and earlier, but the latest i 3.1.14 right? is NPM maybe interpreting 3.1.1* as lower that 3.1.6?

[palkan]

is NPM maybe interpreting 3.1.1* as lower that 3.1.6?

just tried 3.1.9 – the same(

[falsy]

If you run 'npm install' on Node v8.12.0, the following error appears. (npm v6.4.1)

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Missing Origin Validation                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ webpack-dev-server                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.11                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ webpack-dev-server [dev]                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ webpack-dev-server                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/725                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 10268 scanned packages
  1 vulnerability requires manual review. See the full report for details.

'npm install' on Node v6.14.4 does not output an error. (npm v3.10.10)

[fergyfresh]

@falsy. we are seeing the same thing. I've retried it with 3.1.11 through 3.1.14 and no dice.

[simPod]

Those versions are listed as affected

[evalineBai]

This was due to a typo in the vulnerability database apparently: https://npm.community/t/advisory-725-inconsistently-marks-affected-versions/4333/3

[simPod]

On the 1st January I contacted NPM. Should be just fine now

[falsy]

@falsy. we are seeing the same thing. I've retried it with 3.1.11 through 3.1.14 and no dice.

@fergyfresh Hi, fergyfresh.

First of all, I am sorry but I am not good at English. (I didn't understand the meaning of 'dice'.)
I am currently using v3.1.14. Most webpack-dev-server v3.1.x output an error on node v8.12.0. However, we have used the NVM to change to Node v6.14.4 and have verified that it does not output subsequent installed result errors.

I don't think this is the solution.
If you need more information from me, let me know.
Thank you.

[fergyfresh]

@falsy it just means it did not work. Still have the high vulnerability security warning.

[falsy]

@fergyfresh I tested it on my PC at home and found it installed on node v8.12.0 without errors.
Sorry, I think the cause of the problem is something other than the node version.

[simPod]

@falsy Have you read my posts? I think it explains it all.

[SharakPL]

@simPod I can confirm that it's been fixed. npm audit is clean now.

[falsy]

@simPod Oh, now the error is not output. Thank you.

[quang5566]

I'm also getting the same issues. Althought I was update [email protected] . But I can't run npm run dev. TypeError: Cannot destructure property compile of 'undefined' or 'null'.

[bandisudhir]

I'm also still seeing the issue. If anyone found a solution please help.

[jduser36]

I´m also getting this isusue on a mac. I am new to react.js, so is there a way to solve it or to bypass it?

[simPod]

Is your issue Missing Origin Validation? Do have installed only v3.1.11+?

[jduser36]

Yes it is, and i have the version 3.5.0 installed.

[simPod]

Read the link first then https://nodesecurity.io/advisories/725 to understand that you are using affected version and then upgrade it.

[bandisudhir]

I'm also still seeing the issue. If anyone found a solution please help.

After updating the [email protected]. The problem is resolved though it is still showing 1 high vulnerability I was able to install required packages. If your problem is not resolved delete node_modules folder and install again. Hoping your problem will be resolved.

[bandisudhir]

Yes it is, and i have the version 3.5.0 installed.

Please check the version properly the highest version of webpack-dev-server available is 3.1.14 when I'm writing this comment.