Create-react-app: Security: Bump terser-webpack-plugin to address CVE-2020-7660

Created on 4 Jun 2020  路  11Comments  路  Source: facebook/create-react-app

The Problem

react-scripts-3.4.1 relies on terser-webpack-plugin-2.3.5 which then relies on serialize-javascript-2.1.2, which is vulnerable per https://nvd.nist.gov/vuln/detail/CVE-2020-7660.

My Ask

Can terser-webpack-plugin be bumped to 2.3.7, which relies on serialize-javascript ^3.1.0? This would address this vulnerability.

This is similar to #8159.

bug report needs triage
Source
picture AjkayAlan
👍4 👀1

Most helpful comment

IMO it's still valid and a new release would be much appreciated :)

picture simonpasquier on 13 Jul 2020
👍12

All 11 comments

They've already fixed it in the master (https://github.com/facebook/create-react-app/pull/8950/files) so I guess we should wait for the next release?

RinatRezyapov picture RinatRezyapov on 4 Jun 2020

Good catch, yeah, looks like next release should get us there.

AjkayAlan picture AjkayAlan on 4 Jun 2020

Does anyone know when the next release happens?

devchris picture devchris on 5 Jun 2020
👍4

Do we know when this release will be coming? Just to be prepared for when to upgrade 馃槃

olliecurtis picture olliecurtis on 9 Jun 2020

This issue has been automatically marked as stale because it has not had any recent activity. It will be closed in 5 days if no further activity occurs.

stale[bot] picture stale[bot] on 11 Jul 2020

IMO it's still valid and a new release would be much appreciated :)

simonpasquier picture simonpasquier on 13 Jul 2020
👍12

This issue has been automatically marked as stale because it has not had any recent activity. It will be closed in 5 days if no further activity occurs.

stale[bot] picture stale[bot] on 16 Aug 2020

Bump - this is still an issue and there still has not been any new release.

AjkayAlan picture AjkayAlan on 16 Aug 2020

@AjkayAlan - Not sure if this is helpful or not for you but raised this discussion for confirmation of releases as I have noticed their have been newer releases but also I am aware CRA 4 is also in progress so wanted to find out if these fixes are safe to use now
https://github.com/facebook/create-react-app/discussions/9484

olliecurtis picture olliecurtis on 17 Aug 2020

@AjkayAlan - I managed to get an answer here in #9484 about the new versions and getting this fix released

https://github.com/facebook/create-react-app/discussions/9484#discussioncomment-52089

olliecurtis picture olliecurtis on 18 Aug 2020
👍1

Thanks @olliecurtis! Based on the new release existing in npmjs, I think it solves our issue.

Closing.

AjkayAlan picture AjkayAlan on 18 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Aranir picture Aranir  路  3Comments
dualcnhq picture dualcnhq  路  3Comments
stopachka picture stopachka  路  3Comments
alleroux picture alleroux  路  3Comments
ap13p picture ap13p  路  3Comments