You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The article at https://zyan.scripts.mit.edu/blog/backdooring-js/ explains how one can leverage a bug in UglifyJS 2.4.23 and earlier (not sure when it was introduced) to introduce security issues that manifest only in minified code.
Now, anyone that today does npm install on a project using the latest grunt-contrib-uglify will get the patched 2.4.24 version but people that already have an older one installed will keep it. It would be good to publish a patch that changes the uglify-js version range from ^2.4.19 to ^2.4.24.
The text was updated successfully, but these errors were encountered:
The article at https://zyan.scripts.mit.edu/blog/backdooring-js/ explains how one can leverage a bug in UglifyJS 2.4.23 and earlier (not sure when it was introduced) to introduce security issues that manifest only in minified code.
Now, anyone that today does
npm install
on a project using the latestgrunt-contrib-uglify
will get the patched 2.4.24 version but people that already have an older one installed will keep it. It would be good to publish a patch that changes theuglify-js
version range from^2.4.19
to^2.4.24
.The text was updated successfully, but these errors were encountered: