New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2020-7660 #19816
Comments
Any way i can help with that? |
Next.js doesn't use the terser plugin included in webpack itself, we run a custom one so this does not affect Next.js in any way. You'll probably want to update terser-webpack-plugin in webpack 4. |
But correct me if i am wrong @timneutkens but the dependecy graph indicated it comes from webpack which is used by Next? |
It's not instantiated by webpack if you configure your own minifier, which we do. |
But any idea why yarn audit is assuming that? I run: yarn audit --level high. It gives me this path:
/edit: Maybe the ticket should be upgrade to a later webpack version? :) |
Or let me ask this way round: how could i patch this. I just upgrade webpack in my project? |
Looks like you're only seeing the message because your lockfile is outdated. Just checked and:
Shows:
You'll probably want to run Closing as this was resolved already in webpack-contrib/terser-webpack-plugin#257 Do note like I said before that Next.js is not vulnerable for this CVE either way. |
ok will try. Thanks @timneutkens. /Update: Solved it for me ❤️ |
This issue has been automatically locked due to no recent activity. If you are running into a similar issue, please create a new issue with the steps to reproduce. Thank you. |
Bug report
Seems next.js 10.0.3 is vulenerable to CVE-2020-7660:
next@10.0.3 requires serialize-javascript@^2.1.2 via a transitive dependency on terser-webpack-plugin@1.4.3
Describe the bug
Github Dependa Bot reports: next@10.0.3 requires serialize-javascript@^2.1.2 via a transitive dependency on terser-webpack-plugin@1.4.3
To Reproduce
This is my package.json:
Running yarn audit:
gives me:
next > webpack > terser-webpack-plugin > serialize-javascript
Expected behavior
A clear and concise description of what you expected to happen.
Screenshots
If applicable, add screenshots to help explain your problem.
System information
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: