-
-
Notifications
You must be signed in to change notification settings - Fork 6.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: eliminate the serialize-javascript vulnerability warning #5829
Conversation
By switching to a fork of copy-webpack-plugin v5, so that we can circumvent the issue in a non-semver-breaking way. Fixes vuejs#5782
serialize-javascript "^4.0.0" | ||
webpack-log "^2.0.0" | ||
|
||
copy-webpack-plugin@^5.0.2: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the pr.
Do you know why there is a second copy-webpack-plugin here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It comes from vuepress, which is used to deploy the documentation.
@@ -46,7 +46,7 @@ | |||
"cli-highlight": "^2.1.4", | |||
"clipboardy": "^2.3.0", | |||
"cliui": "^6.0.0", | |||
"copy-webpack-plugin": "^5.1.1", | |||
"copy-webpack-plugin-v5": "^5.1.2", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe an idea to make this a fixed version, because of security.
But I don't know.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I strongly do not recommend do it
So maybe it would be better to do the Update and Migration? |
Why? |
@peteruithoven We can do it in |
@evilebottnawi it's hard to update because Vue CLI allows users to tap into the I do plan to update it in the next major, but that would take another 2 to 3 months before being stable. It would certainly be better if a release can be made in the upstream package to address this issue. |
@sodatea let's do security release |
@evilebottnawi Thanks! |
Thanks! :) |
By switching to a fork of copy-webpack-plugin v5, so that we can
circumvent the issue in a non-semver-breaking way.
Fixes #5782
What kind of change does this PR introduce? (check at least one)
Does this PR introduce a breaking change? (check one)
Other information: