Security advisory for serialize-javascript package #11309
Comments
|
terser-webpack-plugin version ^4, ^3 and ^2 use a sufficiently high version range of serialize-javascript (^4.0.0 and ^3.1.0). So webpack 5 is not affected. For webpack 4 there is a semver-matching terser-webpack-plugin version 1.4.4 that bumps serialize-javascript from "^2.1.2" to "^3.1.0". |
|
Please update deps to latest, fixed, all versions of |
|
Is the dependency on vulnerable version of Latest version of webpack@4, i.e. v4.44.1 depends on Lines 5789 to 5792 in cd4af16 To fix, it needs to be updated to |
|
Question: Is this fix going to be released in |
|
@trivikr update your deps, you need regenerate lock file, it is transitive dep |
|
For those who're visiting this issue from Dependabot security alerts, here is an example PR where dependency is updated aws-samples/aws-sdk-js-tests#47 Dependabot cannot automatically create a pull request to fix this as "one or more other dependencies require a version that is incompatible with this update." |
Webpack team is not planning on patching webpack 4 to fix this issue (see webpack/webpack#11309 (comment)). For the mean time, we need to set the right terser-webpack-plugin that doesn't depend on the vulnerable serialize-javascript package.
Hey folks 馃憢馃徑
A security advisory was raised by npm for this serialize-javascript package. More info here: https://www.npmjs.com/advisories/1548
Looks like this package is brought in to our dependency trees by way of terser-webpack-plugin. A fix could be to update and publish to the latest version of terser-webpack-plugin which doesn't depend on a vulnerable version of serialize-javascript.
The text was updated successfully, but these errors were encountered: