chore(deps): bump terser-webpack-plugin to v.1.4.2 #20014
Conversation
Switching from 1.X to 2.x might need more changes - given this list of breaking changes (not sure, just testing if build doesn't crash doesn't seem like enough of research): https://github.com/webpack-contrib/terser-webpack-plugin/releases/tag/v2.0.0 There is release for 1.X line as well that fixes same thing: https://github.com/webpack-contrib/terser-webpack-plugin/releases/tag/v1.4.2 |
|
You're totally right, we better use this one instead. 👍 The 1.4.2 doesn't seem to appear in their changelog so I may have missed it. I will make a change to use this version instead. Thanks! |
alexandre-lelain
force-pushed
the
build/terser_webpack_plugin_bump
branch
from
f5d7773
to
e3579be
Compare
alexandre-lelain
changed the title
pieh
changed the title
|
Holy buckets, @alexandre-lelain — we just merged your PR to Gatsby! 💪💜 Gatsby is built by awesome people like you. Let us say “thanks” in two ways:
If there’s anything we can do to help, please don’t hesitate to reach out to us: tweet at @gatsbyjs and we’ll come a-runnin’. Thanks again! |
Description
A security breach was found in serialize-javascript (versions < 2.1.1) which is one of the dependencies of gatsby's terser-webpack-plugin dependency.
This PR bumps the version of terser-webpack-plugin to 2.2.2 to fix the security breach. See https://github.com/webpack-contrib/terser-webpack-plugin/blob/master/CHANGELOG.md.
You can find the security alert here: GHSA-h9rv-jmmf-4pgx.
Even if the version update was a major one, the build seems to be passing.