Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Security: Bump terser-webpack-plugin to address CVE-2020-7660

See original GitHub issue

The Problem

react-scripts-3.4.1 relies on terser-webpack-plugin-2.3.5 which then relies on serialize-javascript-2.1.2, which is vulnerable per https://nvd.nist.gov/vuln/detail/CVE-2020-7660.

My Ask

Can terser-webpack-plugin be bumped to 2.3.7, which relies on serialize-javascript ^3.1.0? This would address this vulnerability.

This is similar to #8159.

Issue Analytics

State:
Created 3 years ago
Reactions:5
Comments:11

Top GitHub Comments

12reactions

simonpasquiercommented, Jul 13, 2020

IMO it’s still valid and a new release would be much appreciated 😃

4reactions

devchriscommented, Jun 5, 2020

Does anyone know when the next release happens?

Top Results From Across the Web

TerserWebpackPlugin

This plugin uses terser to minify/minimize your JavaScript. Getting Started. Webpack v5 comes with the latest terser-webpack-plugin out of the box. If you...

terser-webpack-plugin vulnerabilities

version published direct vulnerabilities 5.3.6 29 Aug, 2022 0. C. 0. H. 0. M. 0. L 5.3.5 16 Aug, 2022 0. C. 0. H. 0....

Debugging Story: Build failed, error from Terser

We used Terser to minify our build code. It was part of our webpack pipeline, installed through terser-webpack-plugin . Since terser is throwing ......

terser-webpack-plugin

Terser plugin for webpack. Latest version: 5.3.6, last published: 4 months ago. Start using terser-webpack-plugin in your project by running ...

The journey to fast production asset builds with Webpack

Out of the box, Webpack includes the terser-webpack-plugin for asset minification. Initially, this plugin seemed to perfectly address our ...