Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] Update terser webpack plugin #8102

Merged
merged 6 commits into from
Dec 11, 2019
Merged

[Security] Update terser webpack plugin #8102

merged 6 commits into from
Dec 11, 2019

Conversation

RDIL
Copy link
Contributor

@RDIL RDIL commented Dec 6, 2019

Updates the terser webpack plugin.
Fixes #8100

@RDIL RDIL changed the title security: update terser webpack plugin [Security] Update terser webpack plugin Dec 6, 2019
@heyimalex
Copy link
Contributor

For context:

  • GHSA-h9rv-jmmf-4pgx
  • we pin terser-webpack-plugin at 2.2.1
  • terser-webpack-plugin 2.2.1 depends on serialize-javascript ^1.7.0
  • vulnerability was fixed in serialize-javascript 2.1.1

So we either bump or wait for serialize-javascript to backport a security fix to the 1.x branch. The issue doesn't really affect us since there's no xss at build time, but people complain in the tracker either way.

@heyimalex heyimalex added this to the 3.3.1 milestone Dec 6, 2019
@andriijas
Copy link
Contributor

andriijas commented Dec 11, 2019

@RDIL Want to upgrade to 2.2.3 in this PR? Don't forget react-error-overlay Thanks

@andriijas andriijas merged commit 8d1a4f2 into facebook:master Dec 11, 2019
@heyimalex heyimalex mentioned this pull request Dec 12, 2019
@lock lock bot locked and limited conversation to collaborators Dec 16, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Security] Issue with serialize-javascript
4 participants