Vue has high-risk vulnerabilities 👻? Yuxi himself refuted the rumor

First, say the conclusion: false

Rumors! False. Vue is still secure and can be safely used in a variety of projects.

Ii. What happened

2.1 News of empty wind cave

In recent days, there has been a picture from an unknown source and some vague rumors circulating in the front end circles.

To sum up:

SonarQube and Vue.js have bugs that hackers are taking advantage of. Stop using it! If you can’t replace it, you have to patch it.

Many students who did not know the truth were frightened by the news, thinking they would have to stay up late to upgrade the system.

But those of you who know a little bit about cyber security can easily spot the confusion in this passage.

1. Vue.jsAs a progressive front-end framework with no specific security vulnerabilities recently exposed, how did it suddenly become a tool of “hacker groups”? A front-end framework, can directly have how serious security holes? I can only think of it for nowxss)
2. inNational Information Security Vulnerability library http://www.cnnvd.org.cn/Is not directly related toVue.jsRelated security vulnerabilities. According to theVue.jsIf there were such a serious problem, it would be front page news.

Obviously, this is a flawed piece of news, but it still went viral on all kinds of social media tools.

2.2 vueThe author himself answered

On January 25, 2022, you Yuxi, a well-known front-end developer, the father of Vue.js, a big V and a famous user in the nuggets community, published an article “Concerning the recent Bug Notice involving SonarQube and Vue” on A website to refute the rumor.

The article is very long, just look at the conclusion:

In a word: as long as you use it normally, vue.js is safe!

How to identify similar rumors?

Network security has become the “most important” event on the Internet in recent years, I believe you remember the security storm caused by Log4j.

More recently, faker.js was injected by the maintainer into malicious code, which also made the city full of rumors.

Therefore, many students could not help but be shocked to see “this kind of news” and lost their usual calm.

So, as a mature software engineer, what can we do to prevent being cheated?

I have summarized the following three steps:

1. Go to the National information security Vulnerability database as the most authoritative vulnerability publishing platform at the national level, if there is no information on this, it is very likely that this is fake news.

The method shown in the figure can be quickly filtered to find relevant vulnerabilities.

以 Vue.jsTake the search results of related rumors as an example:

Take a look at each point and there is no argument that vue.js ontology is flawed at all. Fake!

2. Search for song/degree. It’s impossible for social chat to spread faster than song/degree.

The search results are silent and completely devoid of relevant information – fake!

3. github/issuesTake time! If such a problem occurs, the relevant warehouseissuesThere is bound to be a request for an urgent update from the maintainer immediately and a way to upgrade it.

The most recent discussion was in 2020 — fake!

OK, did you get it? Be sure to polish your eyes!

The end of the

I’m Spring brother. I love vue.js, ElementUI, and Element Plus. My goal is to share the most practical and useful knowledge points with you. I hope you can leave work early, finish your work quickly, and feel calm 🐟.

You can pay attention to me in nuggets: spring elder brother’s dream is to touch fish, can also find me in the public number: the front end to touch fish. I hope you will be stronger in 2022.