Latest release (5.1.1) is using dependency, which has older version of dependency with known issue

[hasanen]

Latest release (5.1.1) is using 3.x branch of compression-webpack-plugin, which is using 2.x branch of serialize-javascript. And now yarn audit it gives a notice from it.

In master branch compression-webpack-plugin is updated to 4.x, which in other hand is using 3.x of serialize-javascript and thus has non-vulnerable version.

Could you make a new release? Or is there a way where I/we could get that 2.x of serialize-javascript updated?

[jipiboily]

The master branch seems to be for 6.0.0, which I assume is not ready.

Wondering if we can easily backport the dependency update from #2609 to 5.1.X (or 5.2.0).

The npm advisory related to this is: https://www.npmjs.com/advisories/1548

[akoskm]

4.2.2 has the same problem.

[gauravtiwari]

Thanks for pointing out. I will check if I can create a 5.0 stable branch and selectively merge in changes. Reg: 4.2 you can make a PR against this branch to update deps: https://github.com/rails/webpacker/tree/4-x-stable

[artob]

The security advisory:

• GHSA-hxcc-f52p-wc94

• https://nvd.nist.gov/vuln/detail/CVE-2020-7660

The relevant upstream issues and commits:

• Vulnerability in latest release: serialize-javascript < 3.1.0 webpack-contrib/compression-webpack-plugin#176

• Don't replace regex / function placeholders within string literals yahoo/serialize-javascript#79

• yahoo/serialize-javascript@f21a6fb

[gauravtiwari]

Just realised 5.2.0. Please see 5-x-stable branch

[hasanen]

Thank you @gauravtiwari for the quick action <3

[vitobotta]

Hi, I am using 5.2.1 and I still get the warning about serialize-javascript. I followed the instructions as per https://github.com/rails/webpacker to upgrade. What else can I do? Thanks!

[hasanen]

@vitobotta have you checked that there are no other dependencies that are requiring the old version?

[jaredbeck]

@vitobotta have you checked that there are no other dependencies that are requiring the old version?

@vitobotta Try yarn why or npm ls

[npearson72]

@gauravtiwari

Just realised 5.2.0. Please see 5-x-stable branch

I don't think this issue is resolved.

I just upgraded to 5.2.1 and am seeing that it depends on terser-webpack-plugin@^1.4.3, which does not resolve the serialize-javascript issue.

They did however resolve it in: https://github.com/webpack-contrib/terser-webpack-plugin/releases/tag/v1.4.5

Webpacker needs to upgrade to this version.

[jaredbeck]

I just upgraded to 5.2.1 and am seeing that it depends on terser-webpack-plugin@^1.4.3, which does not resolve the serialize-javascript issue.

Just to clarify, the constraint terser-webpack-plugin@^1.4.3 allows you to install 1.4.5. So, you are allowed to fix the vulnerability. Webpacker is not preventing you from fixing the vulnerability. Of course, it's also not requiring you to fix it. I'm just clarifying, not making any recommendations to anyone. 😄