-
-
Notifications
You must be signed in to change notification settings - Fork 8.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security advisory for serialize-javascript package #11309
Comments
terser-webpack-plugin version ^4, ^3 and ^2 use a sufficiently high version range of serialize-javascript (^4.0.0 and ^3.1.0). So webpack 5 is not affected. For webpack 4 there is a semver-matching terser-webpack-plugin version 1.4.4 that bumps serialize-javascript from "^2.1.2" to "^3.1.0". |
Please update deps to latest, fixed, all versions of |
Is the dependency on vulnerable version of Latest version of webpack@4, i.e. v4.44.1 depends on Lines 5789 to 5792 in cd4af16
To fix, it needs to be updated to |
Question: Is this fix going to be released in |
@trivikr update your deps, you need regenerate lock file, it is transitive dep |
For those who're visiting this issue from Dependabot security alerts, here is an example PR where dependency is updated aws-samples/aws-sdk-js-tests#47 Dependabot cannot automatically create a pull request to fix this as "one or more other dependencies require a version that is incompatible with this update." |
Webpack team is not planning on patching webpack 4 to fix this issue (see webpack/webpack#11309 (comment)). For the mean time, we need to set the right terser-webpack-plugin that doesn't depend on the vulnerable serialize-javascript package.
Hey folks 馃憢馃徑
A security advisory was raised by npm for this serialize-javascript package. More info here: https://www.npmjs.com/advisories/1548
Looks like this package is brought in to our dependency trees by way of terser-webpack-plugin. A fix could be to update and publish to the latest version of terser-webpack-plugin which doesn't depend on a vulnerable version of serialize-javascript.
The text was updated successfully, but these errors were encountered: