Webpacker: Latest release (5.1.1) is using dependency, which has older version of dependency with known issue

Created on 12 Aug 2020  路  11Comments  路  Source: rails/webpacker

Latest release (5.1.1) is using 3.x branch of compression-webpack-plugin, which is using 2.x branch of serialize-javascript. And now yarn audit it gives a notice from it.

In master branch compression-webpack-plugin is updated to 4.x, which in other hand is using 3.x of serialize-javascript and thus has non-vulnerable version.

Could you make a new release? Or is there a way where I/we could get that 2.x of serialize-javascript updated?

picture hasanen
👍31

Most helpful comment

Just realised 5.2.0. Please see 5-x-stable branch

picture gauravtiwari on 16 Aug 2020
👍96

All 11 comments

The master branch seems to be for 6.0.0, which I assume is not ready.

Wondering if we can easily backport the dependency update from https://github.com/rails/webpacker/pull/2609 to 5.1.X (or 5.2.0).

The npm advisory related to this is: https://www.npmjs.com/advisories/1548

jipiboily picture jipiboily on 12 Aug 2020
👍2

4.2.2 has the same problem.

akoskm picture akoskm on 13 Aug 2020
👍1

Thanks for pointing out. I will check if I can create a 5.0 stable branch and selectively merge in changes. Reg: 4.2 you can make a PR against this branch to update deps: https://github.com/rails/webpacker/tree/4-x-stable

gauravtiwari picture gauravtiwari on 13 Aug 2020
👍3

The security advisory:

The relevant upstream issues and commits:

artob picture artob on 14 Aug 2020
👍1

Just realised 5.2.0. Please see 5-x-stable branch

gauravtiwari picture gauravtiwari on 16 Aug 2020
👍96

Thank you @gauravtiwari for the quick action <3

hasanen picture hasanen on 17 Aug 2020

Hi, I am using 5.2.1 and I still get the warning about serialize-javascript. I followed the instructions as per https://github.com/rails/webpacker to upgrade. What else can I do? Thanks!

vitobotta picture vitobotta on 19 Aug 2020
👍1

@vitobotta have you checked that there are no other dependencies that are requiring the old version?

hasanen picture hasanen on 19 Aug 2020

@vitobotta have you checked that there are no other dependencies that are requiring the old version?

@vitobotta Try yarn why or npm ls

jaredbeck picture jaredbeck on 20 Aug 2020

@gauravtiwari

Just realised 5.2.0. Please see 5-x-stable branch

I don't think this issue is resolved.

I just upgraded to 5.2.1 and am seeing that it depends on terser-webpack-plugin@^1.4.3, which does not resolve the serialize-javascript issue.

They did however resolve it in: https://github.com/webpack-contrib/terser-webpack-plugin/releases/tag/v1.4.5

Webpacker needs to upgrade to this version.

npearson72 picture npearson72 on 20 Aug 2020

I just upgraded to 5.2.1 and am seeing that it depends on terser-webpack-plugin@^1.4.3, which does not resolve the serialize-javascript issue.

Just to clarify, the constraint terser-webpack-plugin@^1.4.3 _allows_ you to install 1.4.5. So, you are allowed to fix the vulnerability. Webpacker is not preventing you from fixing the vulnerability. Of course, it's also not requiring you to fix it. I'm just clarifying, not making any recommendations to anyone. 馃槃

jaredbeck picture jaredbeck on 20 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

itay-grudev picture itay-grudev  路  3Comments
suhomlineugene picture suhomlineugene  路  3Comments
FrankFang picture FrankFang  路  3Comments
ytbryan picture ytbryan  路  3Comments
eriknygren picture eriknygren  路  3Comments