Security: Bump terser-webpack-plugin to address CVE-2020-7660
See original GitHub issueThe Problem
react-scripts-3.4.1
relies on terser-webpack-plugin-2.3.5
which then relies on serialize-javascript-2.1.2
, which is vulnerable per https://nvd.nist.gov/vuln/detail/CVE-2020-7660.
My Ask
Can terser-webpack-plugin
be bumped to 2.3.7, which relies on serialize-javascript
^3.1.0? This would address this vulnerability.
This is similar to #8159.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:5
- Comments:11
Top Results From Across the Web
TerserWebpackPlugin
This plugin uses terser to minify/minimize your JavaScript. Getting Started. Webpack v5 comes with the latest terser-webpack-plugin out of the box. If you...
Read more >terser-webpack-plugin vulnerabilities
version published direct vulnerabilities
5.3.6 29 Aug, 2022 0. C. 0. H. 0. M. 0. L
5.3.5 16 Aug, 2022 0. C. 0. H. 0....
Read more >Debugging Story: Build failed, error from Terser
We used Terser to minify our build code. It was part of our webpack pipeline, installed through terser-webpack-plugin . Since terser is throwing ......
Read more >terser-webpack-plugin
Terser plugin for webpack. Latest version: 5.3.6, last published: 4 months ago. Start using terser-webpack-plugin in your project by running ...
Read more >The journey to fast production asset builds with Webpack
Out of the box, Webpack includes the terser-webpack-plugin for asset minification. Initially, this plugin seemed to perfectly address our ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
IMO it’s still valid and a new release would be much appreciated 😃
Does anyone know when the next release happens?