Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update serialize-javascript to 3.1.0+ to address security vulnerabili… #5789

Closed
wants to merge 1 commit into from
Closed

update serialize-javascript to 3.1.0+ to address security vulnerabili… #5789

wants to merge 1 commit into from

Conversation

zhao-li
Copy link

@zhao-li zhao-li commented Aug 14, 2020

This PR updates serialize-javascript to 3.1.0+ to address security vulnerabilities of serialize-javascript < 3.1.0, a sub-dependency of copy-webpack-plugin.

What kind of change does this PR introduce? (check at least one)

  • Bugfix
  • Feature
  • Code style update
  • Refactor
  • Docs
  • Underlying tools (?dependency?)
  • Other, please describe:

Does this PR introduce a breaking change? (check one)

  • Yes
  • No
  • not sure, this project isn't containerized and I don't want to install yarn and other artifacts on my host

Other information:
I'm hoping your CI will figure out if this is a breaking change or not.

High            Remote Code Execution
Package         serialize-javascript
Patched in      >=3.1.0
Dependency of   @vue/cli-service [dev]
Path            @vue/cli-service > copy-webpack-plugin >
                serialize-javascript
More info       https://npmjs.com/advisories/1548

`-- @vue/cli-service@4.4.6
  +-- copy-webpack-plugin@5.1.1
  | `-- serialize-javascript@2.1.2 
  `-- terser-webpack-plugin@2.3.7
    `-- serialize-javascript@3.1.0

update serialize-javascript to 3.1.0+ to address security vulnerabili…
c413d76 
…ties of serialize-javascript < 3.1.0, a sub-dependency of copy-webpack-plugin
@undergroundwires undergroundwires mentioned this pull request Aug 16, 2020
Closed
@jonathanpmartins
Copy link

jonathanpmartins commented Aug 19, 2020
edited
Loading

any updates on this?

@zhao-li
Copy link
Author

zhao-li commented Aug 19, 2020

I'm not quite sure what the next steps are...

@sirlancelot
Copy link
Contributor

Fixes #5782. Can this get merged in to remove the high severity vulnerability warning when using vue-cli?

@JaymoKang JaymoKang mentioned this pull request Aug 19, 2020
Closed
9 tasks
@HTGAzureX1212
Copy link

Still waiting for this dependency update to fix the vulnerability...

1 similar comment
@ThBastos
Copy link

Still waiting for this dependency update to fix the vulnerability...

@jsb989
Copy link

jsb989 commented Aug 22, 2020

It's taking too much time. I just updated by hand changing @vue/cli-service/package.json
copy-webpack-plugin: "^6.0.3" and running $npm i... twice.
(one for each dependency. NPM looks just like a joke, though...)

@HTGAzureX1212
Copy link

HTGAzureX1212 commented Aug 23, 2020
edited
Loading

Does a dependency update take this much time... I am considering to use the same approach of jsb989 now :/

@sodatea
Copy link
Member

sodatea commented Aug 24, 2020

It breaks almost all of the CI tests.

We need another way to address this issue. Not blindly updating the dependency version.

@sodatea sodatea closed this Aug 24, 2020
@yashha yashha mentioned this pull request Aug 24, 2020
Closed
@yashha
Copy link

yashha commented Aug 24, 2020

@sodatea Just an Idea:
webpack-contrib/copy-webpack-plugin#520

@yashha yashha mentioned this pull request Aug 24, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@zhao-li @jonathanpmartins @sirlancelot @HTGAzureX1212 @ThBastos @jsb989 @sodatea @yashha