fix: eliminate the serialize-javascript vulnerability warning #5829
Conversation
By switching to a fork of copy-webpack-plugin v5, so that we can circumvent the issue in a non-semver-breaking way. Fixes vuejs#5782
| serialize-javascript "^4.0.0" | ||
| webpack-log "^2.0.0" | ||
|
|
||
| copy-webpack-plugin@^5.0.2: |
There was a problem hiding this comment.
Thanks for the pr.
Do you know why there is a second copy-webpack-plugin here?
There was a problem hiding this comment.
It comes from vuepress, which is used to deploy the documentation.
| @@ -46,7 +46,7 @@ | |||
| "cli-highlight": "^2.1.4", | |||
| "clipboardy": "^2.3.0", | |||
| "cliui": "^6.0.0", | |||
| "copy-webpack-plugin": "^5.1.1", | |||
| "copy-webpack-plugin-v5": "^5.1.2", | |||
There was a problem hiding this comment.
Maybe an idea to make this a fixed version, because of security.
But I don't know.
|
So maybe it would be better to do the Update and Migration? |
Why? |
|
@peteruithoven We can do it in |
|
@evilebottnawi it's hard to update because Vue CLI allows users to tap into the I do plan to update it in the next major, but that would take another 2 to 3 months before being stable. It would certainly be better if a release can be made in the upstream package to address this issue. |
|
@sodatea let's do security release |
|
@evilebottnawi Thanks! |
|
Thanks! :) |
By switching to a fork of copy-webpack-plugin v5, so that we can
circumvent the issue in a non-semver-breaking way.
Fixes #5782
What kind of change does this PR introduce? (check at least one)
Does this PR introduce a breaking change? (check one)
Other information: