Webpacker: compression-webpack-plugin and serialize-javascript@^1.4.0 dependency

Created on 6 Dec 2019  路  5Comments  路  Source: rails/webpacker

One of this repros dependancies (compression-webpack-plugin) has a dependency of serialize-javascript@^1.4.0 which has a known issue https://github.com/advisories/GHSA-h9rv-jmmf-4pgx .
The compression-webpack-plugin repro has not been updated in 6 months, someone has submitted a PR to fix the issue and upgrade serialize-javascript but it has not been approved or merged as of yet.

Is it possible to move away from compression-webpack-plugin?

picture WillHen
👍11

Most helpful comment

To pickup the fix mentioned by @clearyandzap, this worked for me:

$ yarn upgrade "@rails/webpacker@^4.2.2"
$ yarn audit

Yarn audit confirmed the fix.

picture Yenwod on 29 Feb 2020
👍2

All 5 comments

compression-webpack-plugin has made a fix https://github.com/webpack-contrib/compression-webpack-plugin/pull/139

clearyandzap picture clearyandzap on 9 Dec 2019
👍1

This should fix the issue:
yarn upgrade "terser-webpack-plugin@^1.4.1"

After this, run yarn audit to make sure there are no known security issues in your project dependencies.

vfonic picture vfonic on 15 Dec 2019
👎2

To pickup the fix mentioned by @clearyandzap, this worked for me:

$ yarn upgrade "@rails/webpacker@^4.2.2"
$ yarn audit

Yarn audit confirmed the fix.

Yenwod picture Yenwod on 29 Feb 2020
👍2

Is this issue can be closed ?

guillaumebriday picture guillaumebriday on 25 Aug 2020
👀1 👍1

@Yenwod solution works for me

Levii01 picture Levii01 on 27 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

iChip picture iChip  路  3Comments
pioz picture pioz  路  3Comments
suhomlineugene picture suhomlineugene  路  3Comments
johan-smits picture johan-smits  路  3Comments
eriknygren picture eriknygren  路  3Comments