Parcel: Consider fixing security warnings (serialize-to-js)
In a folder with latest parcel installed, yarn audit complains because of serialize-to-js (denial of service security bug).
Please consider upgrading to serialize-to-js@3 asap to fix this.
PS: I tried to clone the repo and upgrade dependencies myself to open a PR but:
1) simple yarn install emits a lots of errors with [email protected]
2) yarn upgrade-interactive --latest and then attempting to upgrade dependencies result in an infinite install loop (install, build script, build scripts fail, again install)
damianobarbati
All 4 comments
This has already been fixed in master. And it never was a security issue npm secu just messed up again
Sent with GitHawk
DeMoorJasper
on 13 Sep 2019
Seems like a valid issue: https://github.com/commenthol/serialize-to-js/issues/7#issuecomment-492076598, right?
Deserialization of untrusted data using this package is dangerous. Even though it uses safer-eval to try and sandbox evaluated code, it is vulnerable to DoS by deserializing 'function(){while(true){}}()'.
Minimal viable sample:
const serializeToJs = require('serialize-to-js') var str = 'function(){while(true){}}()' var res = serializeToJs.deserialize(str) // will never finish console.log(res)
adriaanvanrossum
on 17 Sep 2019
It's a valid issue if you use that function. Parcel does not.
Either way, I got annoyed enough at all the issues for this and released v1.12.4 with the update.
devongovett
on 6 Oct 2019
@devongovett thank you x 1000 馃槈
damianobarbati
on 6 Oct 2019
Related issues
dotdash
路
3Comments
urbanhop
路
3Comments
oliger
路
3Comments
466023746
路
3Comments
jsftw86
路
3Comments
Most helpful comment
It's a valid issue if you use that function. Parcel does not.
Either way, I got annoyed enough at all the issues for this and released v1.12.4 with the update.