KEMBAR78
[Security] Update terser webpack plugin by RDIL · Pull Request #8102 · facebook/create-react-app · GitHub
Skip to content

Conversation

@RDIL
Copy link
Contributor

@RDIL RDIL commented Dec 6, 2019

Updates the terser webpack plugin.
Fixes #8100

@RDIL RDIL changed the title security: update terser webpack plugin [Security] Update terser webpack plugin Dec 6, 2019
@heyimalex
Copy link
Contributor

For context:

  • GHSA-h9rv-jmmf-4pgx
  • we pin terser-webpack-plugin at 2.2.1
  • terser-webpack-plugin 2.2.1 depends on serialize-javascript ^1.7.0
  • vulnerability was fixed in serialize-javascript 2.1.1

So we either bump or wait for serialize-javascript to backport a security fix to the 1.x branch. The issue doesn't really affect us since there's no xss at build time, but people complain in the tracker either way.

@heyimalex heyimalex added this to the 3.3.1 milestone Dec 6, 2019
@andriijas
Copy link
Contributor

andriijas commented Dec 11, 2019

@RDIL Want to upgrade to 2.2.3 in this PR? Don't forget react-error-overlay Thanks

@andriijas andriijas merged commit 8d1a4f2 into facebook:master Dec 11, 2019
@heyimalex heyimalex mentioned this pull request Dec 12, 2019
@lock lock bot locked and limited conversation to collaborators Dec 16, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Security] Issue with serialize-javascript

4 participants