Open tomcon opened 2 years ago
+1
@TrySound Why is this vulnerability not being addressed, please? https://github.com/TrySound/rollup-plugin-terser/pull/118
@IdanAdar Last commit was 2 years ago, so I guess the answer is no.
"no" is not really an answer to my question, though...
Sorry, wrong answer. You won't get a right one. Open source maintainer fatigue? No reason to be demanding. Nobody owes you anything here, so no reason to pretend.
Open source projects go stale all the time. Mostly from when there is not enough time or lack of financing or both. When others don't step up, this happens.
Years since last change and no answer to issues or PRs should tell you all you need.
For now you can manually override the terser version used in your project by adding the following block to package.json
:
"overrides": {
"terser": "^5.15.0"
},
The official plugin with Rollup v3 support and updated terser has been released: https://npmjs.com/package/@rollup/plugin-terser 🎉
@limonte Thanks for the ping! And thanks for great and useful work with this plugin, @TrySound
terser 5.0.0 - 5.14.1 Severity: high Terser insecure use of regular expressions before v4.8.1 and v5.14.2 leads to ReDoS - https://github.com/advisories/GHSA-4wf5-vphf-c2xc