Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Latest release (5.1.1) is using dependency, which has older version of dependency with known issue #2693

Closed
hasanen opened this issue Aug 12, 2020 · 11 comments
Closed

Latest release (5.1.1) is using dependency, which has older version of dependency with known issue #2693

hasanen opened this issue Aug 12, 2020 · 11 comments

Comments

@hasanen
Copy link

hasanen commented Aug 12, 2020

Latest release (5.1.1) is using 3.x branch of compression-webpack-plugin, which is using 2.x branch of serialize-javascript. And now yarn audit it gives a notice from it.

In master branch compression-webpack-plugin is updated to 4.x, which in other hand is using 3.x of serialize-javascript and thus has non-vulnerable version.

Could you make a new release? Or is there a way where I/we could get that 2.x of serialize-javascript updated?
@jipiboily
Copy link

jipiboily commented Aug 12, 2020
edited

The master branch seems to be for 6.0.0, which I assume is not ready.

Wondering if we can easily backport the dependency update from #2609 to 5.1.X (or 5.2.0).

The npm advisory related to this is: https://www.npmjs.com/advisories/1548

@akoskm
Copy link

akoskm commented Aug 13, 2020

4.2.2 has the same problem.

@gauravtiwari
Copy link
Member

Thanks for pointing out. I will check if I can create a 5.0 stable branch and selectively merge in changes. Reg: 4.2 you can make a PR against this branch to update deps: https://github.com/rails/webpacker/tree/4-x-stable

@akoskm akoskm mentioned this issue Aug 13, 2020
Merged
@artob
Copy link

artob commented Aug 14, 2020
edited

The security advisory:

The relevant upstream issues and commits:

@gauravtiwari
Copy link
Member

gauravtiwari commented Aug 16, 2020
edited

Just realised 5.2.0. Please see 5-x-stable branch

@hasanen
Copy link
Author

hasanen commented Aug 17, 2020

Thank you @gauravtiwari for the quick action <3

@vitobotta
Copy link

Hi, I am using 5.2.1 and I still get the warning about serialize-javascript. I followed the instructions as per https://github.com/rails/webpacker to upgrade. What else can I do? Thanks!

@hasanen
Copy link
Author

hasanen commented Aug 19, 2020

@vitobotta have you checked that there are no other dependencies that are requiring the old version?

@jaredbeck
Copy link
Contributor

@vitobotta have you checked that there are no other dependencies that are requiring the old version?

@vitobotta Try yarn why or npm ls

@npearson72
Copy link

@gauravtiwari

Just realised 5.2.0. Please see 5-x-stable branch

I don't think this issue is resolved.

I just upgraded to 5.2.1 and am seeing that it depends on terser-webpack-plugin@^1.4.3, which does not resolve the serialize-javascript issue.

They did however resolve it in: https://github.com/webpack-contrib/terser-webpack-plugin/releases/tag/v1.4.5

Webpacker needs to upgrade to this version.

@jaredbeck
Copy link
Contributor

I just upgraded to 5.2.1 and am seeing that it depends on terser-webpack-plugin@^1.4.3, which does not resolve the serialize-javascript issue.

Just to clarify, the constraint terser-webpack-plugin@^1.4.3 allows you to install 1.4.5. So, you are allowed to fix the vulnerability. Webpacker is not preventing you from fixing the vulnerability. Of course, it's also not requiring you to fix it. I'm just clarifying, not making any recommendations to anyone. 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@artob @jipiboily @vitobotta @jaredbeck @hasanen @gauravtiwari @npearson72 @akoskm @guillaumebriday