Arbitrary Code Injection In "serialize-javascript" For "vue-server-renderer" #11427

dargmuesli · 2020-06-02T01:16:24Z

2.6.11

n/a

Remediation
Upgrade serialize-javascript to version 3.1.0 or higher.

n/a

posva · 2020-06-02T06:16:44Z

Thanks but this Is a dev dependency

dargmuesli · 2020-06-03T13:20:06Z

It's listed under dependencies though:

Line 28 in fb589e6

"serialize-javascript": "^2.1.2",

🤔

dargmuesli · 2020-06-03T13:21:29Z

I'm not talking about vue, I'm talking about vue-server-renderer^^

posva · 2020-06-03T13:34:27Z

I see, thanks, now it makes more sense. I opened #11434
It wasn't clear from such a short robotic issue with so many n/a 😄

dargmuesli · 2020-06-03T13:39:37Z

I thought the title was large enough, sorry 😄

posva closed this as completed Jun 2, 2020

posva mentioned this issue Jun 3, 2020

chore: upgrade serialize-javascript #11434

Merged

13 tasks

posva mentioned this issue Aug 11, 2020

vue-server-renderer security advisory #11588

Closed

Provide feedback