Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency vue-i18n-legacy to v9 [security] #103

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency vue-i18n-legacy to v9 [security] #103

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 2, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
vue-i18n-legacy (source) 8 -> 9.14.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-52809

Vulnerability type

XSS

Description

vue-i18n can be passed locale messages to createI18n or useI18n.
we can then translate them using t and $t.
vue-i18n has its own syntax for local messages, and uses a message compiler to generate AST.
In order to maximize the performance of the translation function, vue-i18n uses bundler plugins such as @intlify/unplugin-vue-i18n and bulder to convert the AST in advance when building the application.
By using that AST as the locale message, it is no longer necessary to compile, and it is possible to translate using the AST.

The AST generated by the message compiler has special properties for each node in the AST tree to maximize performance. In the PoC example below, it is a static property, but that is just one of the optimizations.
About details of special properties, see https://github.com/intlify/vue-i18n/blob/master/packages/message-compiler/src/nodes.ts

In general, the locale messages of vue-i18n are optimized during production builds using @intlify/unplugin-vue-i18n,
so there is always a property that is attached during optimization like this time.
But if you are using a locale message AST in development mode or your own, there is a possibility of XSS if a third party injects.

Reproduce (PoC)

<!doctype html>
<html>
  <head>
    <meta charset="utf-8" />
    <title>vue-i18n XSS</title>
    <script src="https://unpkg.com/vue@3"></script>
    <script src="https://unpkg.com/vue-i18n@10"></script>
    <!-- Scripts that perform prototype contamination, such as being distributed from malicious hosting sites or injected through supply chain attacks, etc. -->
    <script>
      /**
       * Prototype pollution vulnerability with `Object.prototype`.
       * The 'static' property is part of the optimized AST generated by the vue-i18n message compiler.
       * About details of special properties, see https://github.com/intlify/vue-i18n/blob/master/packages/message-compiler/src/nodes.ts
       *
       * In general, the locale messages of vue-i18n are optimized during production builds using `@intlify/unplugin-vue-i18n`,
       * so there is always a property that is attached during optimization like this time.
       * But if you are using a locale message AST in development or your own, there is a possibility of XSS if a third party injects prototype pollution code.
       */
      Object.defineProperty(Object.prototype, 'static', {
        configurable: true,
        get() {
          alert('prototype polluted!')
          return 'prototype pollution'
        }
      })
    </script> 
 </head>
  <body>
    <div id="app">
      <p>{{ t('hello') }}</p>
    </div>
    <script>
      const { createApp } = Vue
      const { createI18n, useI18n } = VueI18n

      // AST style locale message, which build by `@intlify/unplugin-vue-i18n`
      const en = {
        hello: {
          type: 0,
          body: {
            items: [
              {
                type: 3,
                value: 'hello world!'
              }
            ]
          }
        }
      }

      const i18n = createI18n({
        legacy: false,
        locale: 'en',
        messages: {
          en
        }
      })

      const app = createApp({
        setup() {
          const { t } = useI18n()
          return { t }
        }
      })
      app.use(i18n)
      app.mount('#app')
    </script>
  </body>
</html>

Workarounds

Before v10.0.0, we can work around this vulnerability by using the regular compilation (jit: false of @intlify/unplugin-vue-i18n plugin configuration) way instead of jit compilation.

References

Release Notes

intlify/vue-i18n (vue-i18n-legacy)

v9.14.2

Compare Source

What's Changed

🔒 Security Fixes

Full Changelog: intlify/vue-i18n@v9.14.1...v9.14.2

v9.14.1

Compare Source

What's Changed

🐛 Bug Fixes

Full Changelog: intlify/vue-i18n@v9.14.0...v9.14.1

v9.14.0

Compare Source

What's Changed

⚡ Improvement Features

Full Changelog: intlify/vue-i18n@v9.13.1...v9.14.0

v9.13.1

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🐛 Bug Fixes

Full Changelog: intlify/vue-i18n@v9.13.0...v9.13.1

v9.13.0

Compare Source

This changelog is generated by GitHub Releases

What's Changed

⚠️ Deprecated Features
⚡ Improvement Features
📝️ Documentations

New Contributors

Full Changelog: intlify/vue-i18n@v9.12.1...v9.13.0

v9.12.1

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🐛 Bug Fixes
👕 Refactoring

Full Changelog: intlify/vue-i18n@v9.12.0...v9.12.1

v9.12.0

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🌟 Features

Full Changelog: intlify/vue-i18n@v9.11.1...v9.12.0

v9.11.1

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🐛 Bug Fixes

Full Changelog: intlify/vue-i18n@v9.11.0...v9.11.1

v9.11.0

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🌟 Features

New Contributors

Full Changelog: intlify/vue-i18n@v9.10.2...v9.11.0

v9.10.2

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🐛 Bug Fixes

New Contributors

Full Changelog: intlify/vue-i18n@v9.10.1...v9.10.2

v9.10.1

Compare Source

This changelog is generated by GitHub Releases

What's Changed

⚡ Improvement Features
📝️ Documentations

New Contributors

Full Changelog: intlify/vue-i18n@v9.10.0...v9.10.1

v9.10.0

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🌟 Features
📝️ Documentations

New Contributors

Full Changelog: intlify/vue-i18n@v9.9.1...v9.10.0

v9.9.1

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🐛 Bug Fixes
📝️ Documentations

New Contributors

Full Changelog: intlify/vue-i18n@v9.9.0...v9.9.1

v9.9.0

Compare Source

This changelog is generated by GitHub Releases

What's Changed

⚡ Improvement Features
📈 Performance Fixes
📝️ Documentations

New Contributors

Full Changelog: intlify/vue-i18n@v9.8.0...v9.9.0

v9.8.0

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🌟 Features

Full Changelog: intlify/vue-i18n@v9.7.1...v9.8.0

v9.7.1

Compare Source

This changelog is generated by GitHub Releases

What's Changed

⚡ Improvement Features

Full Changelog: intlify/vue-i18n@v9.7.0...v9.7.1

v9.7.0

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🌟 Features

Full Changelog: intlify/vue-i18n@v9.6.5...v9.7.0

v9.6.5

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🐛 Bug Fixes

New Contributors

Full Changelog: intlify/vue-i18n@v9.6.4...v9.6.5

v9.6.4

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🐛 Bug Fixes

Full Changelog: intlify/vue-i18n@v9.6.3...v9.6.4

v9.6.3

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🐛 Bug Fixes

New Contributors

Full Changelog: intlify/vue-i18n@v9.6.2...v9.6.3

v9.6.2

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🐛 Bug Fixes

Full Changelog: intlify/vue-i18n@v9.6.1...v9.6.2

v9.6.1

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🐛 Bug Fixes

Full Changelog: intlify/vue-i18n@v9.6.0...v9.6.1

v9.6.0

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🌟 Features
🐛 Bug Fixes
⚡ Improvement Features
📝️ Documentations

Full Changelog: intlify/vue-i18n@v9.5.0...v9.6.0

v9.5.0

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🌟 Features
🐛 Bug Fixes
📝️ Documentations
🍭 Examples

New Contributors

Full Changelog: intlify/vue-i18n@v9.4.1...v9.5.0

v9.4.1

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🐛 Bug Fixes
📝️ Documentations

Full Changelog: intlify/vue-i18n@v9.4.0...v9.4.1

v9.4.0

Compare Source

This changelog is generated by GitHub Releases

What's Changed

🌟 Features
🐛 Bug Fixes
⚡ Improvement Features

New Contributors

Full Changelog: intlify/vue-i18n@v9.3.0...v9.4.0

v9.3.0

Compare Source

We are excited to announce the release of Vue I18n v9.3, finally !! This release includes some new features, bug fixes, improvements, and document fixes.

We had commited with 37 contributors. Thanks for your contributing ❤️

In the following, we introduce some of the new features:

🌟 Features

Node.js Dual packages (cjs / mjs)

We provide CommonJS and Native ESM dual module packages for Node.js. This supports both require and import for loading modules in Node.js.

JIT Style Compilation

Supports JIT (Just In Time) style compilation of message formats. This mean, removes the CSP limitation and allows for use in environments such as Service worker, Web worker, and Edge.

It mean also now supports the use-case where locale messages are dynamically retrieved from the backend via the API.

For more information, please see the docs

The performance of JIT-style compilation is close to that of conventional AOT (Ahead Of Time) style compilation, and you can improve the performance to nearly 3x with combination of JIT + AOT.

Below are the compile performance benchmark results for vue-i18n:

> node ./benchmark/index.mjs

compilation:

compile simple message x 396,898 ops/sec ±0.31% (98 runs sampled)
compile complex message x 60,036 ops/sec ±0.34% (99 runs sampled)

simple pattern on 1000 resources (AOT):

resolve time with core x 279,919 ops/sec ±0.19% (99 runs sampled)
resolve time on composition x 93,963 ops/sec ±0.48% (93 runs sampled)
resolve time on composition with compile cache x 230,928 ops/sec ±0.20% (100 runs sampled)

simple pattern on 1000 resources (JIT):

resolve time with core x 277,813 ops/sec ±0.18% (99 runs sampled)
resolve time on composition x 91,959 ops/sec ±0.43% (97 runs sampled)
resolve time on composition with compile cache x 227,117 ops/sec ±0.15% (99 runs sampled)

simple pattern on 1000 resources (JIT + AOT):

resolve time with core x 319,061 ops/sec ±0.18% (100 runs sampled)
resolve time on composition x 204,529 ops/sec ±0.22% (95 runs sampled)
resolve time on composition with compile cache x 204,652 ops/sec ±0.30% (100 runs sampled)

complex pattern on 1000 resources (AOT):

resolve time with core x 240,427 ops/sec ±0.37% (100 runs sampled)
resolve time on composition x 33,959 ops/sec ±0.45% (94 runs sampled)
resolve time on composition with compile cache x 200,980 ops/sec ±0.15% (99 runs sampled)

complex pattern on 1000 resources (JIT):

resolve time with core x 225,739 ops/sec ±0.25% (99 runs sampled)
resolve time on composition x 36,379 ops/sec ±0.49% (97 runs sampled)
resolve time on composition with compile cache x 191,653 ops/sec ±0.24% (100 runs sampled)

complex pattern on 1000 resources (JIT + AOT):

resolve time with core x 278,542 ops/sec ±0.20% (98 runs sampled)
resolve time on composition x 92,781 ops/sec ±0.31% (98 runs sampled)
resolve time on composition with compile cache x 92,865 ops/sec ±0.33% (98 runs sampled)

You can clone Vue I18n and run the benchmark with pnpm build:type && pnpm benchmark to check.

Custome message format

Starting with v9.3, Vue I18n will give message format customization as an experimental feature. This will allow for extending to the message format:

import { createI18n } from 'vue-i18n'
import { messageCompiler } from './compilation'

const i18n = createI18n({
  legacy: false,
  locale: 'en',
  messageCompiler,
  messages: {
    en: {
      hello: 'hello world!',
      greeting: 'hi, {name}!',
      photo: `You have {numPhotos, plural,
        =0 {no photos.}
        =1 {one photo.}
        other {# photos.}
      }`
    }
  }
})

About details, please see the docs

Exports type definition and API

Export v-t type definitions and API $te to support Vue I18n extending for third vendors and your Vue applications.

❗ Important Changes: 1

allowComposition option

The allowComposition option will be removed in Vue I18n v10. We have accordingly output a warning if you are using it.

If you are using Vue I18n Legacy API to migrate to the Composition API, please make sure you have done so with the Vue I18n v9 version.

Deprecate vue-i18n official bundle plugins

The following plugin or loader for bundler is deprecated because it can be replaced by the unplugin-vue-i18n.

These will only be taken as hot fixes in the future, and no additional functionality will be added.

⚡ Improvement Features: 15

🐛 Bug Fixes: 17

📝️ Documentations: 28

🧑‍🤝‍🧑 Contributers: 37

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot changed the title chore(deps): update dependency vue-i18n-legacy to v9 [security] chore(deps): update dependency vue-i18n-legacy to v9 [security] - autoclosed Dec 8, 2024
@renovate renovate bot closed this Dec 8, 2024
@renovate renovate bot deleted the renovate/npm-vue-i18n-legacy-vulnerability branch December 8, 2024 19:01
@renovate renovate bot changed the title chore(deps): update dependency vue-i18n-legacy to v9 [security] - autoclosed chore(deps): update dependency vue-i18n-legacy to v9 [security] Dec 8, 2024
@renovate renovate bot reopened this Dec 8, 2024
@renovate renovate bot force-pushed the renovate/npm-vue-i18n-legacy-vulnerability branch from ddfea19 to 3f4ac72 Compare December 8, 2024 22:01
@renovate renovate bot force-pushed the renovate/npm-vue-i18n-legacy-vulnerability branch from 3f4ac72 to be5b346 Compare December 17, 2024 19:56
@renovate renovate bot changed the title chore(deps): update dependency vue-i18n-legacy to v9 [security] chore(deps): update dependency vue-i18n-legacy to v10 [security] Dec 17, 2024
@renovate renovate bot force-pushed the renovate/npm-vue-i18n-legacy-vulnerability branch from be5b346 to be692fb Compare December 17, 2024 23:51
@renovate renovate bot changed the title chore(deps): update dependency vue-i18n-legacy to v10 [security] chore(deps): update dependency vue-i18n-legacy to v9 [security] Dec 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Type: Dependency
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants