Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DoS vulnerability in dependency serialize-to-js@1.1.1 #3133

Closed
luddwichr opened this issue Jun 5, 2019 · 1 comment
Closed

DoS vulnerability in dependency serialize-to-js@1.1.1 #3133

luddwichr opened this issue Jun 5, 2019 · 1 comment
Labels
🔥 Security

Comments

@luddwichr
Copy link

🐛 bug report

The dependency serialize-to-js is exposing a DoS vulnerability in version 1.1.1. See this issue for more details.

I stumbled upon this issue indirectly because Github sent me a different security alert for safer-eval@1.3.2, which is a transitive dependency of serialize-to-js. However, upgrading safer-eval is not sufficient due to the above referenced vulnerability.

🎛 Configuration (.babelrc, package.json, cli command)

🤔 Expected Behavior

😯 Current Behavior

💁 Possible Solution

Upgrade to serialize-to-js@^3.0.0 if no functionality is lost (the method deserialized was dropped due to the issue in version 2.0.0)

🔦 Context

💻 Code Sample

🌍 Your Environment

Software Version(s)
Parcel 1.12.3
Node 12.4.0
npm/Yarn 1.16.0
Operating System
This was referenced Aug 21, 2019
Merged
Closed
@mkeedlinger
Copy link

For some reason npm audit fix still can't fix this issue. Am I missing something?

Has this been pushed to npm yet?

Thanks!

@parcel-bundler parcel-bundler locked as resolved and limited conversation to collaborators Aug 25, 2019
twome added a commit to twome/parcel that referenced this issue Sep 10, 2019
@twome
Merge branch 'master' of github.com:parcel-bundler/parcel into featur…
bae75b8 
…e/strip-type-module-attr

* 'master' of github.com:parcel-bundler/parcel:
  fix source maps on coffeescript assets (parcel-bundler#3423)
  Fixes parcel-bundler#3133 by upgrading serialize-to-js from 1.1.1 to 3.0.0  (parcel-bundler#3451)
  Fix up misleading usage information (parcel-bundler#3158)
  bump chokidar to get a reload fix for linux (parcel-bundler#2878)
  Use uppercase for the first letter of the issue template (parcel-bundler#3192)
  Update dotenv-expand to allow overriding of falsy values (parcel-bundler#2971)
  Fixes 3076: HMR update breaks in webworker due to window (and location.reload) not existing in web worker context. (parcel-bundler#3078)
  Scope hoisting destructuring (parcel-bundler#2742)
  Create FUNDING.yml (parcel-bundler#3074)
  Added new info command  (parcel-bundler#3068)
  Fix typo (parcel-bundler#3043)
  Update deps & gitattributes (parcel-bundler#3006)
  Fix assigning to exports from inside a function in scope hoisting (parcel-bundler#2994)
  Define __esModule interop flag when requiring ES module from CommonJS (parcel-bundler#2993)
  Replace module.require in scope hoisting (parcel-bundler#2875)
  Clear scope cache before crawling (parcel-bundler#2986)
  Fix CI (parcel-bundler#2990)
  Shake exports with pure property assignments (parcel-bundler#2979)
  Update postcss.js (parcel-bundler#2922)
  Fail immediately if yarn.lock updates are needed (parcel-bundler#2945)
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
🔥 Security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump parcel-bundler from 1.12.3 to 1.12.4 in /services/githubber juicyfx/juicy
3 participants
@DeMoorJasper @mkeedlinger @luddwichr