Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

found 1 high severity vulnerability #96

Closed
MiniMarvin opened this issue Aug 22, 2020 · 3 comments
Closed

found 1 high severity vulnerability #96

MiniMarvin opened this issue Aug 22, 2020 · 3 comments
Labels
bug Something isn't working

Comments

@MiniMarvin
Copy link

Summary

High | Remote Code Execution
Package | serialize-javascript
Patched in | >=3.1.0
Dependency of | next-pwa
Path | next-pwa > workbox-webpack-plugin > workbox-build > rollup-plugin-terser > serialize-javascript
More info | https://npmjs.com/advisories/1548

How To Reproduce

Steps to reproduce the behavior:

npm install --save next-pwa
npm audit

Link to minimal reproduce setup repository if any.

Expected Behaviors

The lib to be updated and do not have this critical vulnerability
@MiniMarvin MiniMarvin added the bug Something isn't working label Aug 22, 2020
@shadowwalker
Copy link
Owner

Thanks for raising this issue.

yarn audit v1.22.4
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Remote Code Execution                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ serialize-javascript                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ workbox-webpack-plugin                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ workbox-webpack-plugin > workbox-build >                     │
│               │ rollup-plugin-terser > serialize-javascript                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1548                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 593
Severity: 1 High

This is used in build time, which should be a less risk vulnerability. Prefer to raise this issue in workbox project as I'm not sure if I update it here, if it will break some scenarios.

@Yonom
Copy link

Yonom commented Sep 4, 2020
edited
Loading

Just opened an issue here:

GoogleChrome/workbox#2626

@shadowwalker
Copy link
Owner

Resolved

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Yonom @shadowwalker @MiniMarvin