Jaylyn-Barbee
commented
2 years ago +1
Open tomcon opened 2 years ago
Jaylyn-Barbee
commented
2 years ago +1
IdanAdar
commented
2 years ago @TrySound Why is this vulnerability not being addressed, please? https://github.com/TrySound/rollup-plugin-terser/pull/118
eklem
commented
2 years ago @IdanAdar Last commit was 2 years ago, so I guess the answer is no.
IdanAdar
commented
2 years ago "no" is not really an answer to my question, though...
eklem
commented
2 years ago Sorry, wrong answer. You won't get a right one. Open source maintainer fatigue? No reason to be demanding. Nobody owes you anything here, so no reason to pretend.
Open source projects go stale all the time. Mostly from when there is not enough time or lack of financing or both. When others don't step up, this happens.
Years since last change and no answer to issues or PRs should tell you all you need.
silkfire
commented
2 years ago For now you can manually override the terser version used in your project by adding the following block to package.json:
"overrides": {
"terser": "^5.15.0"
},
limonte
commented
1 year ago The official plugin with Rollup v3 support and updated terser has been released: https://npmjs.com/package/@rollup/plugin-terser 🎉
eklem
commented
1 year ago @limonte Thanks for the ping! And thanks for great and useful work with this plugin, @TrySound
terser 5.0.0 - 5.14.1 Severity: high Terser insecure use of regular expressions before v4.8.1 and v5.14.2 leads to ReDoS - https://github.com/advisories/GHSA-4wf5-vphf-c2xc