Closed aimaj-anz closed 4 years ago
Thanks, will take a look at this soon.
@slorber , I do not believe #3265 fixes the issue. The audit report references copy-webpack-plugin
and not terser-webpack-plugin
.
There is an additional update needed for webpack
and copy-webpack-plugin
. The minimum version of webpack required to patch the vulnerability is 5 which requires updating a few other dependencies who have a peer dependency on webpack@4.
It looks like the following packages all have a peer dependency of webpack@4:
warning " > webpack-dev-middleware@3.7.2" has unmet peer dependency "webpack@^4.0.0".
warning " > cache-loader@4.1.0" has unmet peer dependency "webpack@^4.0.0".
warning " > optimize-css-assets-webpack-plugin@5.0.3" has unmet peer dependency "webpack@^4.0.0".
I've started a branch to upgrade these dependencies and their peers here
Hey, I'm upgrading the copy plugin here: #3282 to solve this issue.
We also have to upgrade the workbox-build package in the pwa plugin, when they upgrade here: https://github.com/GoogleChrome/workbox/issues/2601 (but this is less likely to affect many D2 users)
@dschaller I don't understand why you think we need to upgrade to Webpack 5?
Let's keep it open until we are sure it is really fixed + the pwa plugin is also fixed
@slorber I recall seeing some of the updated packages having a peer dependency of >webpack@5. I could have misread that though.
🐛 Bug Report
doing a clean yarn install of latest version, and yarn audit returns some vulnerability warnings: https://www.npmjs.com/advisories/1548
Have you read the Contributing Guidelines on issues?
yes
To Reproduce
Expected behavior
No audit warnings
Actual Behavior
6 audit warnings
Your Environment
Reproducible Demo
N/A