-
Notifications
You must be signed in to change notification settings - Fork 362
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update serialize-javascript
dependency
#695
Comments
Here are the release notes for the last few versions of
|
We're currently waiting for egoist/rollup-plugin-postcss#295 to land so we can upgrade rollup and all our dependencies. Microbundle is a dev dependency so you shouldn't be too afraid of remote code execution as it's not running while your app is running. |
Indeed, this is technically unused code since serialize-javascript is not actually executed at any point by Microbundle's usage of Terser. It's only used for Terser's I've changed the issue title to reflect the fact that this is neither a vulnerability nor high severity for Microbundle. |
serialize-javascript
dependency
Awesome, thanks for the reassurance! 😅 |
Fixed in #738. |
Hello! I just installed Microbundle in my project, but after I did so (
npm i --save-dev microbundle
), npm told me that it introduced the following high severity vulnerability:Here are the specific version numbers that got installed:
Is this remote code execution vulnerability something I should be worried about, or does it not apply to Microbundle?
Being that this vulnerability is fixed in
serialize-javascript >=3.1.0
, it looks like updatingrollup-plugin-terser
to at least 6.0.0 would updateserialize-javascript
to a safe version. I tried forking Microbundle, updatingrollup-plugin-terser
to 7.0.0, crossing my fingers, and running the tests, but unfortunately, the tests failed, so some breaking change must be getting in the way.The text was updated successfully, but these errors were encountered: