Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Snyk vulnerability SNYK-JS-INFLIGHT-6095116 #80

Closed
mick-feller opened this issue Feb 14, 2024 · 6 comments
Closed

[Bug]: Snyk vulnerability SNYK-JS-INFLIGHT-6095116 #80

mick-feller opened this issue Feb 14, 2024 · 6 comments
Assignees
@DuCanhGH
Labels
bug Something isn't working triage New issues get this label, remove it after triage

Comments

@mick-feller
Copy link

Provide environment information

"@serwist/next": "^9.0.0-preview.6",
"@serwist/precaching": "^9.0.0-preview.6",
"@serwist/sw": "^9.0.0-preview.6",

Which project is this issue for?

@serwist/next

Link to reproduction - Issues with a link to complete (but minimal) reproduction code help us address them faster

To reproduce

simply install the above packages

Describe the bug

It's not so much a bug perse, but there is a security vulnearbility in inflight that gets included in your package through the clean-webpack-plugin that i saw was being used in @serwist/next here:
https://github.com/serwist/serwist/blob/main/packages/next/src/index.ts#L6
and here:
https://github.com/serwist/serwist/blob/main/packages/next/src/index.ts#L147

is there any chance we can get rid of clean-webpack-plugin and use clean: true in the output as stated in the webpack docs like so:
https://webpack.js.org/guides/output-management/#cleaning-up-the-dist-folder

I know it might not be a big deal, but would clean up some snyk reports.

here is a link to the snyk finding:
https://security.snyk.io/vuln/SNYK-JS-INFLIGHT-6095116

Expected behavior

Nothing is really broken, just trying to do some cleanup

Screenshots (if relevant)

image

Additional information (if relevant)

No response
@mick-feller mick-feller added bug Something isn't working triage New issues get this label, remove it after triage labels Feb 14, 2024
@DuCanhGH
Copy link
Member

Hmm, clean: true isn't an option because that will probably wipe out the whole public folder should swDest points to a file in the public folder, e.g "public/sw.js".

Will consider forking this plugin! It hasn't been maintained for so long.

@mick-feller
Copy link
Author

mick-feller commented Feb 14, 2024
edited

yeah that plugin is abandoned due to that clean: true piece in webpack hence me asking.

@mick-feller
Copy link
Author

@DuCanhGH so i was thinking about this a little bit last night, and why don't you clean those files outside of webpack? You could maybe get rid of the webpack plugin all together and use either del or rimraf and run a delete right here:

https://github.com/serwist/serwist/blob/main/packages/next/src/index.ts#L18

and don't rely on webpack for that at all, just a thought?

@DuCanhGH
Copy link
Member

DuCanhGH commented Feb 15, 2024
edited

@mick-feller good idea! That seems to make for a better choice. We will probably use the native fs.rm though.

@DuCanhGH
Copy link
Member

Removed in 9.0.0-preview.10 :)

@mick-feller
Copy link
Author

thanks a lot! that cleared it up, I appreciate you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DuCanhGH DuCanhGH

Labels
bug Something isn't working triage New issues get this label, remove it after triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mick-feller @DuCanhGH