QUESTION: What branch to merge into for v6 patches?

[AndrewGibson27]

What / Why

It looks like this project has a base branch for v7 but not v6. What branch should we merge into for v6 patches? I've got a branch going to port this fix into what I hope will be v6.0.2 (needed for Webpack 4 support).

[keepitterron]

heavy plus one on this.
we depend on webpack 4 and there is no other way left to have this vulnerability fixed 🙏

thanks @AndrewGibson27 !

[pedelman]

@isaacs @nlf I was wondering if anyone has seen this question. It seems this is best path forward to resolve CVE in webpack v4 based on discussion in this related issue: webpack-contrib/terser-webpack-plugin#388.

If you could provide some next steps / guidance on how to proceed, it would be much appreciated.

Thanks for the help!

[nlf]

backported and landed as v6.0.2

[stefanetoh]

backported and landed as v6.0.2

Nice!

But.. how come v6.0.2 isn't listed as a patched version: GHSA-vx3p-948g-6vhq? Shouldn't it be? 🤔 @nlf

[pedelman]

@stefanetoh I sent a note to NIST, NPM, and GitHub support. Im hopeful it can be resolved in the coming days. For my projects, I have already updated to 6.0.2 and manually dismissed the dependabot alert.

Its not really a clear process for communicating this fix. If anyone has contacts in this area, please reach out and inform them so users can update appropriately.

---

Just got notified from NIST that they have updated on their end, you can see it here: https://nvd.nist.gov/vuln/detail/CVE-2021-27290

[nlf]

yeah, we have to wait for all of the various advisory databases to update their advisories in order for all of the alerts to totally clear up. we'll see what we can do to speed that process up.

[stefanetoh]

@pedelman @nlf - aah, ok - then i know :D thanks for the info 🌟