{"id":26624,"library":"vue-template-compiler-patched","title":"vue-template-compiler-patched","description":"Security-patched fork of Vue 2's vue-template-compiler (v2.7.16) fixing CVE-2024-6783 (XSS via prototype pollution) and CVE-2024-9506 (ReDoS). Provides the same API as the original package but with sanitized output and regex hardening. Current version: 2.7.16-patch.2. Releases are tied to Vue 2.7.x LTS; no breaking changes vs original. Can be installed as a drop-in alias replacement for vue-template-compiler to automatically satisfy peer dependencies (e.g., @vue/test-utils, vue-loader). Ships TypeScript definitions.","status":"active","version":"2.7.16-patch.2","language":"javascript","source_language":"en","source_url":"https://github.com/bio/vue-template-compiler-patched","tags":["javascript","vue","compiler","typescript"],"install":[{"cmd":"npm install vue-template-compiler-patched","lang":"bash","label":"npm"},{"cmd":"yarn add vue-template-compiler-patched","lang":"bash","label":"yarn"},{"cmd":"pnpm add vue-template-compiler-patched","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Peer dependency for compiler output compatibility; same version range as original vue-template-compiler requires.","package":"vue","optional":true}],"imports":[{"note":"Main export is the compiler object, not named 'compile'. Use default require or default import.","wrong":"import { compile } from 'vue-template-compiler-patched' (no named export at root)","symbol":"compile","correct":"const compiler = require('vue-template-compiler-patched'); const { render } = compiler.compile(template);"},{"note":"ESM default import works. Named imports like 'compile' are not available at top level.","wrong":"import { compile } from 'vue-template-compiler-patched'","symbol":"default (compiler object)","correct":"import compiler from 'vue-template-compiler-patched'; compiler.compile(template);"},{"note":"Destructuring works only in CommonJS require, not ESM named imports.","wrong":"const compile = require('vue-template-compiler-patched').compile (incorrect, no named export)","symbol":"compile (via destructuring)","correct":"const { compile } = require('vue-template-compiler-patched');"},{"note":"Same rules as compile; available via destructuring in CJS or as property of default export in ESM.","wrong":"import { ssrCompile } from 'vue-template-compiler-patched'; // errors if module is CJS only","symbol":"ssrCompile","correct":"const { ssrCompile } = require('vue-template-compiler-patched');"},{"note":"This IS a named export (not on default object). Use named import in ESM.","wrong":"const parseComponent = require('vue-template-compiler-patched').parseComponent; // works but ugly","symbol":"parseComponent","correct":"import { parseComponent } from 'vue-template-compiler-patched';"}],"quickstart":{"code":"const compiler = require('vue-template-compiler-patched');\nconst template = '<div>{{ message }}</div>';\nconst result = compiler.compile(template, { outputSourceRange: true });\nconsole.log(result.render);\n// with: function anonymous() { with(this) { ... } }\n\n// SSR example:\nconst { ssrCompile } = compiler;\nconst ssrResult = ssrCompile(template);\nconsole.log(ssrResult.render);\n\n// Parse SFC:\nconst { parseComponent } = require('vue-template-compiler-patched');\nconst sfc = `<template><div>Hello</div></template>`;\nconst parsed = parseComponent(sfc);\nconsole.log(parsed.template.content);","lang":"javascript","description":"Shows how to require the patched compiler, compile a template, use SSR compiler, and parse a single-file component."},"warnings":[{"fix":"Use v-html with trusted content only; or manually bypass sanitization with v-pre or skip compilation.","message":"Output of compile() may differ from original due to XSS sanitization (CVE-2024-6783) - dynamic attributes containing user input are encoded. This may break existing templates relying on raw HTML injection via v-html or mustache without escaping.","severity":"breaking","affected_versions":">=2.7.16-patch.1"},{"fix":"Simplify overly complex templates; validation errors now surface earlier.","message":"ReDoS fix (CVE-2024-9506) changes regex balancing in tag parsing. Very long or malformed templates may now fail to compile instead of hanging the process.","severity":"breaking","affected_versions":">=2.7.16-patch.2"},{"fix":"Install as vue-template-compiler@npm:vue-template-compiler-patched@^2.7.16-patch.2","message":"The alias install method (npm:vue-template-compiler-patched) is recommended over direct require of patched name to avoid peer dependency conflicts.","severity":"deprecated","affected_versions":"all"},{"fix":"Wrap render functions in a non-strict scope, or use 'new Function(renderCode)' with appropriate context.","message":"The compile() output still uses 'with' statement, so it cannot be used in strict mode ('use strict') environments without eval-like workarounds.","severity":"gotcha","affected_versions":"all"},{"fix":"Use: import compiler from 'vue-template-compiler-patched'; then compiler.compile(...).","message":"ESM named imports like 'compile' are NOT available; you must use default import or require with destructuring. parseComponent IS a named export.","severity":"gotcha","affected_versions":"all"}],"env_vars":null,"last_verified":"2026-05-01T00:00:00.000Z","next_check":"2026-07-30T00:00:00.000Z","problems":[{"fix":"Install via the alias method: npm vue-template-compiler@npm:vue-template-compiler-patched@^2.7.16-patch.2 --save-dev","cause":"You installed vue-template-compiler-patched but the code (e.g., @vue/test-utils) requires 'vue-template-compiler' directly.","error":"Cannot find module 'vue-template-compiler'"},{"fix":"Shorten or escape problematic template content; avoid deeply nested or unbalanced quotes.","cause":"New stricter parsing due to ReDoS fix; a very long or malformed attribute value now errors instead of hanging.","error":"Failed to compile template: Template syntax error: Unexpected token in attribute expression"},{"fix":"Use default import: import compiler from 'vue-template-compiler-patched'; then compiler.compile().","cause":"ESM import incorrectly uses named import: import { compile } from 'vue-template-compiler-patched'.","error":"TypeError: compiler.compile is not a function"},{"fix":"Create context with { Vue: ..., ... } and pass to render.call(context).","cause":"Compiled render function uses 'with(this)' but strict mode is enabled.","error":"Uncaught ReferenceError: this is not defined (in render function)"},{"fix":"Install correctly: npm i vue-template-compiler-patched --save-dev; or configure alias to point to patched version.","cause":"Package is not installed or webpack alias is misconfigured.","error":"Module not found: Error: Can't resolve 'vue-template-compiler-patched' in '/path'"}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}