Latest release (5.1.1) is using dependency, which has older version of dependency with known issue #2693
Comments
|
The master branch seems to be for 6.0.0, which I assume is not ready. Wondering if we can easily backport the dependency update from #2609 to 5.1.X (or 5.2.0). The npm advisory related to this is: https://www.npmjs.com/advisories/1548 |
|
4.2.2 has the same problem. |
|
Thanks for pointing out. I will check if I can create a 5.0 stable branch and selectively merge in changes. Reg: 4.2 you can make a PR against this branch to update deps: https://github.com/rails/webpacker/tree/4-x-stable |
|
The security advisory: The relevant upstream issues and commits: |
|
Just realised 5.2.0. Please see 5-x-stable branch |
|
Thank you @gauravtiwari for the quick action <3 |
|
Hi, I am using 5.2.1 and I still get the warning about serialize-javascript. I followed the instructions as per https://github.com/rails/webpacker to upgrade. What else can I do? Thanks! |
|
@vitobotta have you checked that there are no other dependencies that are requiring the old version? |
@vitobotta Try |
I don't think this issue is resolved. I just upgraded to 5.2.1 and am seeing that it depends on They did however resolve it in: https://github.com/webpack-contrib/terser-webpack-plugin/releases/tag/v1.4.5 Webpacker needs to upgrade to this version. |
Just to clarify, the constraint |
Latest release (5.1.1) is using 3.x branch of
compression-webpack-plugin, which is using 2.x branch ofserialize-javascript. And nowyarn auditit gives a notice from it.In
masterbranchcompression-webpack-pluginis updated to 4.x, which in other hand is using 3.x ofserialize-javascriptand thus has non-vulnerable version.Could you make a new release? Or is there a way where I/we could get that 2.x of
serialize-javascriptupdated?The text was updated successfully, but these errors were encountered: