Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

found 1 high severity vulnerability #96

Closed
MiniMarvin opened this issue Aug 22, 2020 · 3 comments
Closed

found 1 high severity vulnerability #96

MiniMarvin opened this issue Aug 22, 2020 · 3 comments
Labels
bug Something isn't working

Comments

@MiniMarvin
Copy link

Summary

High | Remote Code Execution
Package | serialize-javascript
Patched in | >=3.1.0
Dependency of | next-pwa
Path | next-pwa > workbox-webpack-plugin > workbox-build > rollup-plugin-terser > serialize-javascript
More info | https://npmjs.com/advisories/1548

How To Reproduce

Steps to reproduce the behavior:

npm install --save next-pwa
npm audit

Link to minimal reproduce setup repository if any.

Expected Behaviors

The lib to be updated and do not have this critical vulnerability
@MiniMarvin MiniMarvin added the bug Something isn't working label Aug 22, 2020
@shadowwalker
Copy link
Owner

Thanks for raising this issue.

yarn audit v1.22.4
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Remote Code Execution                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ serialize-javascript                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ workbox-webpack-plugin                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ workbox-webpack-plugin > workbox-build >                     │
│               │ rollup-plugin-terser > serialize-javascript                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1548                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 593
Severity: 1 High

This is used in build time, which should be a less risk vulnerability. Prefer to raise this issue in workbox project as I'm not sure if I update it here, if it will break some scenarios.

@Yonom
Copy link

Yonom commented Sep 4, 2020
edited

Just opened an issue here:

GoogleChrome/workbox#2626

@shadowwalker
Copy link
Owner

Resolved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Yonom @shadowwalker @MiniMarvin