developit / microbundle

📦 Zero-configuration bundler for tiny modules.
https://npm.im/microbundle
MIT License
8k stars 361 forks source link

Terser dependency vulnerability flagged on Github. #1007

Closed amitpareek49 closed 1 year ago

amitpareek49 commented 1 year ago

Hi Team,

I am using microbundle as a dependency in one of my project. There is a warning thrown by github regarding a critical vulnerability with "terser": "^5.7.0", package. The fix has been deployed in version 5.14.2.

Below is the link to the github issue - https://github.com/advisories/GHSA-4wf5-vphf-c2xc

Are there any plans on updating the version to the latest one?

rschristian commented 1 year ago

Please do read that "vulnerability". It states that Terser, a tool used to minify code, is vulnerable to a denial of service attack. This is not an issue in the context of a build tool.

Essentially, you can write extremely weird code and trigger a denial of service... against yourself. Which just stops the build from completing on its own. You can still exit of course.

No need to fix as it's not a legitimate issue. Vulnerability reports for Node tend to be absolutely worthless as they have no way of knowing the context in which dependencies run.

amitpareek49 commented 1 year ago

Hi @rschristian ,

Thanks for the quick response. I agree that there is no issue with the warning in a build tool context. it get's annoying however when these warnings keep popping up in Github.

I am closing this issue. Once again thanks for your prompt reply, much appreciated.

rschristian commented 1 year ago

it get's annoying however when these warnings keep popping up in Github.

This isn't necessarily the safest advice so do your own due diligence, but honestly, I just disable them. They're too rarely valid.