Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability in parcel-bundler dependency "serialize-to-js" #3454

Closed
mkaraula opened this issue Aug 22, 2019 · 4 comments
Closed

Vulnerability in parcel-bundler dependency "serialize-to-js" #3454

mkaraula opened this issue Aug 22, 2019 · 4 comments

Comments

@mkaraula
Copy link
Contributor

🐛 bug report

Since today npm audit reports a high vulnerability for my project which uses parcel-bundler. The vulnerability is coming from serialize-to-js which is a dependency of parcel.bundler. serialize-to-js would need y major version update.

npm audit             6.9s  Do 22 Aug 10:02:42 2019

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ serialize-to-js                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.0.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ parcel-bundler [dev]                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ parcel-bundler > serialize-to-js                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/790                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 887920 scanned packages
Software Version(s)
Parcel 1.12.3
Node v10.16.0
npm/Yarn 6.9.0
Operating System -
@jonsth131
Copy link

Already reported in #3133 and fixed in PR #3451

@mischnic
Copy link
Member

Duplicate of #3133

@mischnic mischnic marked this as a duplicate of #3133 Aug 22, 2019
@mkeedlinger
Copy link

mkeedlinger commented Aug 22, 2019
edited

@mischnic Any chance that this PR (#3451) gets pulled in soon? NPM telling me I have a vulnerability is driving me crazy!

It's a very simple PR (about 15 lines total?), should be super easy.

Thanks!

@DeMoorJasper
Copy link
Member

DeMoorJasper commented Aug 25, 2019
edited

@mkeedlinger the vulnerability was never a valid vulnerability and the PR is merged into master. There will be no update to parcel as it's not a vulnerability and never was as mentioned in the PR. It's the npm security team making a mistake.

@parcel-bundler parcel-bundler locked as resolved and limited conversation to collaborators Aug 25, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@DeMoorJasper @mkeedlinger @mischnic @mkaraula @jonsth131