CVE-2020-7660

[Alien2150]

Bug report

Seems next.js 10.0.3 is vulenerable to CVE-2020-7660:

next@10.0.3 requires serialize-javascript@^2.1.2 via a transitive dependency on terser-webpack-plugin@1.4.3

Describe the bug

Github Dependa Bot reports: next@10.0.3 requires serialize-javascript@^2.1.2 via a transitive dependency on terser-webpack-plugin@1.4.3

To Reproduce

This is my package.json:

{
  "name": "foobar",
  "version": "0.1.0",
  "private": true,
  "scripts": {
    "dev": "next dev",
    "build": "next build",
    "start": "next start" 
  },
  "dependencies": {
    "@bem-react/classname": "^1.5.6",
    "@bem-react/classnames": "^1.3.7",
    "@zeit/next-css": "^1.0.1",
    "antd": "3.26.20",
    "axios": "^0.19.0",
    "dotenv": "^8.2.0",
    "js-cookie": "^2.2.1",
    "next": "^10.0.3",
    "next-cookies": "^1.1.3",
    "react": "16.10.2",
    "react-dom": "16.10.2"
  },
  "devDependencies": {
    "@types/next": "^8.0.6",
    "@types/node": "12.11.1",
    "@types/react": "16.9.9",
    "babel-plugin-module-resolver": "^3.2.0",
    "typescript": "3.8"
  }
}

Running yarn audit:

 yarn audit --level high

gives me:

next > webpack > terser-webpack-plugin > serialize-javascript

Expected behavior

A clear and concise description of what you expected to happen.

Screenshots

If applicable, add screenshots to help explain your problem.

System information

• OS: macOS 10.15
• Browser (if applies)
• Version of Next.js: 10.0.3
• Version of Node.js: v10.22.1
• Deployment:

Additional context

Add any other context about the problem here.

[Alien2150]

Any way i can help with that?

[timneutkens]

Next.js doesn't use the terser plugin included in webpack itself, we run a custom one so this does not affect Next.js in any way. You'll probably want to update terser-webpack-plugin in webpack 4.

[Alien2150]

But correct me if i am wrong @timneutkens but the dependecy graph indicated it comes from webpack which is used by Next?

[timneutkens]

It's not instantiated by webpack if you configure your own minifier, which we do.

[Alien2150]

But any idea why yarn audit is assuming that? I run: yarn audit --level high. It gives me this path:

next > webpack > terser-webpack-plugin > serialize-javascript

/edit: Maybe the ticket should be upgrade to a later webpack version? :)

[Alien2150]

Or let me ask this way round: how could i patch this. I just upgrade webpack in my project?

[timneutkens]

Looks like you're only seeing the message because your lockfile is outdated. Just checked and:

yarn create next-app test
cd test
yarn audit --level high

Shows:

0 vulnerabilities found - Packages audited: 588

You'll probably want to run yarn upgrade.

Closing as this was resolved already in webpack-contrib/terser-webpack-plugin#257

Do note like I said before that Next.js is not vulnerable for this CVE either way.

[Alien2150]

ok will try. Thanks @timneutkens.

/Update: Solved it for me ❤️

[balazsorban44]

This issue has been automatically locked due to no recent activity. If you are running into a similar issue, please create a new issue with the steps to reproduce. Thank you.