Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Several high vulnerabilities CVE-2019-16772, CVE-2019-16769, CVE-2020-7660 are introduced in @ant-design/tools #245

Open
ayaka-kms opened this issue Aug 14, 2021 · 0 comments
Open

Several high vulnerabilities CVE-2019-16772, CVE-2019-16769, CVE-2020-7660 are introduced in @ant-design/tools #245

ayaka-kms opened this issue Aug 14, 2021 · 0 comments

Comments

@ayaka-kms
Copy link

ayaka-kms commented Aug 14, 2021
edited
Loading

Hi, @afc163, Several high vulnerabilities CVE-2019-16772, CVE-2019-16769, CVE-2020-7660 are introduced in @ant-design/tools via:
● @ant-design/tools@13.6.1 ➔ uglifyjs-webpack-plugin@2.2.0 ➔ serialize-javascript@1.9.1

uglifyjs-webpack-plugin is a legacy package. It has not been maintained for about 2 years, and is not likely to be updated.
Is it possible to migrate uglifyjs-webpack-plugin to other package to remediate this vulnerability?

I noticed several migration records for uglifyjs-webpack-plugin in other js repos, such as

  1. in weaveworks-ui-components, version 0.22.5 ➔ 0.22.6, migrate from uglifyjs-webpack-plugin to terser-webpack-plugin via commit
  2. in immortal-db, version 1.0.3 ➔ 1.1.0, migrate from uglifyjs-webpack-plugin to terser-webpack-plugin via commit

Are there any efforts planned that would remediate this vulnerability or migrate uglifyjs-webpack-plugin?

Thanks
; )
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ayaka-kms