Security vuln. in serialize-javascript via rollup-plugin-terser #2505

nomaed · 2019-12-15T07:46:59Z

NPM audit report:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Cross-Site Scripting                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ serialize-javascript                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.1.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jspm                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jspm > rollup-plugin-terser > serialize-javascript           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1426                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

Seems like rollup-plugin-terser already patched in master branch, but I don't believe that a version has been released yet:
TrySound/rollup-plugin-terser#57

The text was updated successfully, but these errors were encountered:

nomaed · 2019-12-15T08:06:01Z

rollup-plugin-terser@5.1.3 was released 3 days ago:
https://www.npmjs.com/package/rollup-plugin-terser

The current rollup-plugin-terser depends on serialize-javascript with a security vulnerability. This has been patched in version rollup-plugin-terser v5.1.3 Resolve jspm#2505

nomaed · 2019-12-28T09:47:52Z

I created a PR in which the version of the plugin is updated: #2507
It is a new major release for the plugin, but it looks like everything builds and tests are passing too, so I hope this is fine.

While doing that, I noticed that typescript wouldn't build the package due to 3 (small) errors, none of them are of any functional significance.

I also noticed that the entire lib directory is in .gitignore but is also committed to the repository, so while these files are generated on every build, git shows a lot of noise because it sees these are modified files. I created a new PR that removes these files from the repo, and adds tsc build before running mocka for tests, because tests rely on built artifact. IMO it will also make sure that when running automated tests in travis, it will ensure that the sources are built properly. See #2508

I don't know if this has any other affects, I assume that perhaps a pre-publish is also needed for npm now.

nomaed mentioned this issue Dec 27, 2019

Upgrade rollup-plugin-terser to fix vulnerability #2507

Closed

guybedford closed this as completed Apr 8, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security vuln. in serialize-javascript via rollup-plugin-terser #2505

Security vuln. in serialize-javascript via rollup-plugin-terser #2505

nomaed commented Dec 15, 2019

nomaed commented Dec 15, 2019

nomaed commented Dec 28, 2019

Security vuln. in serialize-javascript via rollup-plugin-terser #2505

Security vuln. in serialize-javascript via rollup-plugin-terser #2505

Comments

nomaed commented Dec 15, 2019

nomaed commented Dec 15, 2019

nomaed commented Dec 28, 2019