Skip to content

update serialize-javascript to 3.1.0+ to address security vulnerabili…#5789

Closed
zhao-li wants to merge 1 commit intovuejs:devfrom
zhao-li:feature/update_copy-webpack-plugin_dependency
Closed

update serialize-javascript to 3.1.0+ to address security vulnerabili…#5789
zhao-li wants to merge 1 commit intovuejs:devfrom
zhao-li:feature/update_copy-webpack-plugin_dependency

Conversation

@zhao-li
Copy link
Copy Markdown

@zhao-li zhao-li commented Aug 14, 2020

This PR updates serialize-javascript to 3.1.0+ to address security vulnerabilities of serialize-javascript < 3.1.0, a sub-dependency of copy-webpack-plugin.

What kind of change does this PR introduce? (check at least one)

  • Bugfix
  • Feature
  • Code style update
  • Refactor
  • Docs
  • Underlying tools (?dependency?)
  • Other, please describe:

Does this PR introduce a breaking change? (check one)

  • Yes
  • No
  • not sure, this project isn't containerized and I don't want to install yarn and other artifacts on my host

Other information:
I'm hoping your CI will figure out if this is a breaking change or not.

High            Remote Code Execution
Package         serialize-javascript
Patched in      >=3.1.0
Dependency of   @vue/cli-service [dev]
Path            @vue/cli-service > copy-webpack-plugin >
                serialize-javascript
More info       https://npmjs.com/advisories/1548

`-- @vue/cli-service@4.4.6
  +-- copy-webpack-plugin@5.1.1
  | `-- serialize-javascript@2.1.2 
  `-- terser-webpack-plugin@2.3.7
    `-- serialize-javascript@3.1.0

@zhao-li
update serialize-javascript to 3.1.0+ to address security vulnerabili…
c413d76 
…ties of serialize-javascript < 3.1.0, a sub-dependency of copy-webpack-plugin
@undergroundwires undergroundwires mentioned this pull request Aug 16, 2020
Closed
@jonathanpmartins
Copy link
Copy Markdown

jonathanpmartins commented Aug 19, 2020
edited
Loading

any updates on this?

@zhao-li
Copy link
Copy Markdown
Author

zhao-li commented Aug 19, 2020

I'm not quite sure what the next steps are...

@sirlancelot
Copy link
Copy Markdown
Contributor

sirlancelot commented Aug 19, 2020

Fixes #5782. Can this get merged in to remove the high severity vulnerability warning when using vue-cli?

@JaymoKang JaymoKang mentioned this pull request Aug 19, 2020
Closed
9 tasks
@HTGAzureX1212
Copy link
Copy Markdown

HTGAzureX1212 commented Aug 21, 2020

Still waiting for this dependency update to fix the vulnerability...

1 similar comment
@ThBastos
Copy link
Copy Markdown

ThBastos commented Aug 22, 2020

Still waiting for this dependency update to fix the vulnerability...

@jsb989
Copy link
Copy Markdown

jsb989 commented Aug 22, 2020

It's taking too much time. I just updated by hand changing @vue/cli-service/package.json
copy-webpack-plugin: "^6.0.3" and running $npm i... twice.
(one for each dependency. NPM looks just like a joke, though...)

@HTGAzureX1212
Copy link
Copy Markdown

HTGAzureX1212 commented Aug 23, 2020
edited
Loading

Does a dependency update take this much time... I am considering to use the same approach of jsb989 now :/

@haoqunjiang
Copy link
Copy Markdown
Member

haoqunjiang commented Aug 24, 2020

It breaks almost all of the CI tests.

We need another way to address this issue. Not blindly updating the dependency version.

@yashha yashha mentioned this pull request Aug 24, 2020
Closed
@yashha
Copy link
Copy Markdown

yashha commented Aug 24, 2020

@sodatea Just an Idea:
webpack/copy-webpack-plugin#520

@yashha yashha mentioned this pull request Aug 24, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@zhao-li @jonathanpmartins @sirlancelot @HTGAzureX1212 @ThBastos @jsb989 @haoqunjiang @yashha