Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Chore/Replace uglify with terser #44

Merged
merged 2 commits into from
Nov 2, 2020
Merged

Chore/Replace uglify with terser #44

merged 2 commits into from
Nov 2, 2020

Conversation

iusztin
Copy link
Member

@iusztin iusztin commented Oct 26, 2020
edited

@hiroara @NEWROPE/dev

I tried to deal upgrade serialize-javascript: GHSA-hxcc-f52p-wc94 and kind-of: GHSA-6c8f-qphg-qjgp
Unfortunately, those depend on rollup-plugin-uglify, which is almost not maintained: TrySound/rollup-plugin-uglify#87
The author recommends using rollup-plugin-terser instead: TrySound/rollup-plugin-uglify#69

-> I replaced rollup-plugin-uglify with rollup-plugin-terser in this PR.

Unfortunately kind-of is still blocked because of chokidar-cli: https://github.com/kimmobrunfeldt/chokidar-cli - but this package is not maintained well, and also only used for local development -> I decided not to pursue the kind-of upgrade further.

Please review.

@iusztin iusztin requested a review from hiroara October 26, 2020 09:31
@iusztin iusztin marked this pull request as ready for review November 2, 2020 02:12
@hiroara
Copy link
Member

hiroara commented Nov 2, 2020

Unfortunately kind-of is still blocked because of chokidar-cli: https://github.com/kimmobrunfeldt/chokidar-cli - but this package is not maintained well, and also only used for local development -> I decided not to pursue the kind-of upgrade further.

I think it's not blocked because we can just avoid only the affected versions: >= 6.0.0, < 6.0.3
Can you try to remove the entry of kind-of@^6.0.0, kind-of@^6.0.2 in yarn.lock and execute yarn install? In our yarn.lock, only that entry is affected.

@iusztin
Copy link
Member Author

iusztin commented Nov 2, 2020

@NEWROPE/dev

Ah, there is a lower bound! I overlooked that!
I pushed changes. Please take a look again.

hiroara
hiroara approved these changes Nov 2, 2020
View reviewed changes
Copy link
Member

@hiroara hiroara left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thank you for dealing with this security fix :)

@hiroara hiroara merged commit c20bfbb into NEWROPE:master Nov 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hiroara hiroara hiroara approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@iusztin @hiroara