Security issue with serialize-javascript dependency
jrmhaig opened this issue · 1 comments
jrmhaig commented
Bug report
In our project we have started seeing a medium level security issue with serialize-javascript version 6.0.1 that is fixed in the latest version 6.0.2. This package is a dependency of terser-webpack-plugin
and it is pinned to the old version.
For reference;
- Issue explaining the vulnerability; yahoo/serialize-javascript#172
- Fix: yahoo/serialize-javascript#173
Actual Behavior
serialize-javascript
version 6.0.1 is installed as a dependency.
Expected Behavior
serialize-javascript
version 6.0.2 or later is installed as a dependency.
How Do We Reproduce?
From yarn.lock
;
serialize-javascript@^6.0.1:
version "6.0.1"
resolved "https://registry.yarnpkg.com/serialize-javascript/-/serialize-javascript-6.0.1.tgz#b206efb27c3da0b0ab6b52f48d170b7996458e5c"
integrity sha512-owoXEFjWRllis8/M1Q+Cw5k8ZH40e3zhp/ovX+Xr/vi1qj6QesbyXXViFbpNvWvPNAD62SutwEXavefrLJWj7w==
dependencies:
randombytes "^2.1.0"
...
terser-webpack-plugin@^5.3.10, terser-webpack-plugin@^5.3.7:
version "5.3.10"
resolved "https://registry.yarnpkg.com/terser-webpack-plugin/-/terser-webpack-plugin-5.3.10.tgz#904f4c9193c6fd2a03f693a2150c62a92f40d199"
integrity sha512-BKFPWlPDndPs+NGGCr1U59t0XScL5317Y0UReNrHaw9/FwhPENlq6bfgs+4yPfyP51vqC1bQ4rp1EfXW5ZSH9w==
dependencies:
"@jridgewell/trace-mapping" "^0.3.20"
jest-worker "^27.4.5"
schema-utils "^3.1.1"
serialize-javascript "^6.0.1"
terser "^5.26.0"
Please paste the results of npx webpack-cli info
here, and mention other relevant information
System:
OS: macOS 13.2
CPU: (10) arm64 Apple M1 Pro
Memory: 336.89 MB / 16.00 GB
Binaries:
Node: 21.5.0 - /opt/homebrew/bin/node
Yarn: 1.22.19 - /opt/homebrew/bin/yarn
npm: 10.2.4 - /opt/homebrew/bin/npm
Browsers:
Chrome: 120.0.6099.234
Safari: 16.3
Packages:
babel-loader: ^9.1.3 => 9.1.3
css-loader: ^6.9.1 => 6.9.1
expose-loader: ^5.0.0 => 5.0.0
file-loader: ^6.2.0 => 6.2.0
sass-loader: ^14.0.0 => 14.0.0
style-loader: ^3.3.4 => 3.3.4
terser-webpack-plugin: ^5.3.10 => 5.3.10
url-loader: ^4.1.1 => 4.1.1
webpack: ^5.89.0 => 5.89.0
webpack-cli: ^5.1.4 => 5.1.4
webpack-remove-empty-scripts: ^1.0.4 => 1.0.4
alexander-akait commented
Please update your deps locally, we use ^
https://github.com/webpack-contrib/terser-webpack-plugin/blob/master/package.json#L65 to allow developers do it without unnecessary releases