Update rollup-plugin-terser to the latest version 🚀

[greenkeeper]

---

🚨 Reminder! Less than one month left to migrate your repositories over to Snyk before Greenkeeper says goodbye on June 3rd! 💜 🚚💨 💚

Find out how to migrate to Snyk at greenkeeper.io

---

The dependency rollup-plugin-terser was updated from 5.3.0 to 6.0.0.

This version is not covered by your current version range.

If you don’t accept this pull request, your project will work just like it did before. However, you might be missing out on a bunch of new features, fixes and/or performance improvements from the dependency update.

---

Publisher: trysound
License: MIT

Find out more about this release.

---

FAQ and help

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

---

Your Greenkeeper bot 🌴

[dclark27]

We've gotta get this upgraded -- there is now a high vulnerability on 5.3.0.

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Remote Code Execution                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ serialize-javascript                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ tsdx [dev]                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ tsdx > rollup-plugin-terser > serialize-javascript           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1548                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

[agilgur5]

@dclark27 thanks for the note. 6.0 is a breaking change and fails tests here. It also requires both Node 10+ (planned for v0.14.0) and Rollup v2 (not yet planned, that requires updating a lot of Rollup plugins, which wasn't possible a few months ago). That advisory is from today so I would not expect an immediate response on that.

If you need to update immediately, you could probably override the version in tsdx.config.js, but I'm not sure how that'll interact with everything else... the Rollup version is the big blocker

[dclark27]

@agilgur5 Sounds good! I'll take a look in the morning and see if there is any way to get something out in the meantime.

[agilgur5]

FYI from developit/microbundle#695 (comment):

[serialize-javascript is] only used for Terser's <script> option, which isn't in use here.

Still looking to upgrade Rollup et al to v2 soon, but it'll make v0.14.0 a good bit more breaking, so may hold off on it till v0.15.0

[Yurickh]

FYI, rollup-plugin-terser has released a patch with version 5.3.1 that updates serialize-javascript, which hopefully fixes the vulnerability and doesn't require a breaking change. :)~

edit: in fact, since 5.3.1 is covered by the current version range, consumers can get rid of the warning themselves 🎉

[agilgur5]

Nice catch @Yurickh, so no need for TSDX to do anything then as this has been resolved upstream and we only pin the major version.

If you want to get rid of this warning (TSDX isn't susceptible to the vulnerability per my previous comment), then update your yarn.lock to set rollup-plugin-terser to 5.3.1 and just re-run yarn. Equivalent for NPM is edit package-lock.json and run `npm install

[Yurickh]

You can also avoid the lock hash conflicts by removing and re-adding tsdx (effectively reinstalling), as this will get you the most up-to-date version matching the version range of its dependencies.

[agilgur5]

Superseded by #889