Terser vulnerability (upgrade needed)

[ghbakhtiari]

Bug report

There is a vulnerability regarding terser versions >= 5.0.0, < 5.14.2 and an upgrade to version 5.14.2 or higher is needed.

Actual Behavior

Expected Behavior

How Do We Reproduce?

Please paste the results of npx webpack-cli info here, and mention other relevant information

[alexander-akait]

Updated #504, anyway terser is a transitive dependecy, so you need to update deps locally, you can use rm -rf node_modules package-lock.json && npm i

[alexander-akait]

Feel free to feedback

[pgnd]

you need to update deps locally, you can use rm -rf node_modules package-lock.json && npm i

fyi

cd project/
yarn -v
	3.2.2
yarn cache clean
yarn cache clean --mirror
rm -rf .yarn/unplugged
rm -rf node_modules
yarn install
yarn info --name-only | grep terser
	├─ terser-webpack-plugin@npm:5.3.3
	├─ terser@npm:5.14.2
yarn npm audit --recursive --all --json | jq
	{
	  "actions": [],
	  "advisories": {
	    "1081698": {
	      "findings": [
	        {
	          "version": "5.10.0",
	          "paths": [
	            "terser",
	            "terser-webpack-plugin>terser",
	            "webpack>terser-webpack-plugin>terser",
	            "clean-webpack-plugin>webpack>terser-webpack-plugin>terser",
	            "webpack>terser-webpack-plugin>webpack>terser-webpack-plugin>terser"
	          ]
	        }
	      ],
	      "metadata": null,
	      "vulnerable_versions": ">=5.0.0 <5.14.2",
	      "module_name": "terser",
	      "severity": "high",
	      "github_advisory_id": "GHSA-4wf5-vphf-c2xc",
	      "cves": [
	        "CVE-2022-25858"
	      ],
	      "access": "public",
	      "patched_versions": ">=5.14.2",
	      "cvss": {
	        "score": 7.5,
	        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
	      },
	      "updated": "2022-07-22T16:30:35.000Z",
	      "recommendation": "Upgrade to version 5.14.2 or later",
	      "cwe": [],
	      "found_by": null,
	      "deleted": null,
	      "id": 1081698,
	      "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-25858\n- https://github.com/terser/terser/commit/a4da7349fdc92c05094f41d33d06d8cd4e90e76b\n- https://github.com/terser/terser/commit/d8cc5691be980d663c29cc4d5ce67e852d597012\n- https://github.com/terser/terser/blob/master/lib/compress/evaluate.js%23L135\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2949722\n- https://snyk.io/vuln/SNYK-JS-TERSER-2806366\n- https://github.com/advisories/GHSA-4wf5-vphf-c2xc",
	      "created": "2022-07-16T00:00:20.000Z",
	      "reported_by": null,
	      "title": "Terser insecure use of regular expressions before v4.8.1 and v5.14.2 leads to ReDoS",
	      "npm_advisory_id": null,
	      "overview": "The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.",
	      "url": "https://github.com/advisories/GHSA-4wf5-vphf-c2xc"
	    }
	  },
	  "muted": [],
	  "metadata": {
	    "vulnerabilities": {
	      "info": 0,
	      "low": 0,
	      "moderate": 0,
	      "high": 5,
	      "critical": 0
	    },
	    "dependencies": 751,
	    "devDependencies": 1,
	    "optionalDependencies": 0,
	    "totalDependencies": 752
	  }
	}