search

gobuffalo / buffalo

Rapid Web Development w/ Go
http://gobuffalo.io
MIT License
8.08k stars 578 forks source link

Replace uglifyjs with terser webpack plugin #1878

Closed codegoalie closed 4 years ago

codegoalie commented 4 years ago

Description

In the default JavaScript modules, replace uglify-webpack-plugin with terser-webpack-plugin since uglify is deprecated, contains a dependency with a known security vulnerability, and suggests updating to terser.

Steps to Reproduce the Problem

  1. Run buffalo new fun-time-app --skip-yarn.
  2. Run npm audit.

Expected Behavior

Ideally, you should not see any security vulnerabilities.

Actual Behavior

The version of serialize-javascript which uglifyjs-webpack-plugin requires has a moderate security vulnerability.

$ npm audit

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Cross-Site Scripting                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ serialize-javascript                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.1.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ uglifyjs-webpack-plugin [dev]                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ uglifyjs-webpack-plugin > serialize-javascript               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1426                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 moderate severity vulnerability in 9467 scanned packages
  1 vulnerability requires manual review. See the full report for details.

Info

``` -> Go: Checking installation ✓ The `go` executable was found on your system at: /usr/local/go/bin/go -> Go: Checking minimum version requirements ✓ Your version of Go, 1.13.4, meets the minimum requirements. -> Go: Checking GOPATH ✓ You are using Go Modules, so no need to worry about the GOPATH. -> Go: Checking Package Management ✓ You are using Go Modules (`go`) for package management. -> Go: Checking PATH ✓ Your PATH contains /home/codegoalie/workspace/go/bin. -> Node: Checking installation ✓ The `node` executable was found on your system at: /home/codegoalie/.nvm/versions/node/v10.9.0/bin/node -> Node: Checking minimum version requirements ✓ Your version of Node, v10.9.0, meets the minimum requirements. -> NPM: Checking installation ✓ The `npm` executable was found on your system at: /home/codegoalie/.nvm/versions/node/v10.9.0/bin/npm -> NPM: Checking minimum version requirements ✓ Your version of NPM, 6.2.0, meets the minimum requirements. -> Yarn: Checking installation ✓ The `yarnpkg` executable was found on your system at: /usr/bin/yarnpkg -> Yarn: Checking minimum version requirements ✓ Your version of Yarn, 1.21.1, meets the minimum requirements. -> PostgreSQL: Checking installation ✘ The `postgres` executable could not be found on your system. For help setting up your Postgres environment please follow the instructions for you platform at: https://www.postgresql.org/download/ -> MySQL: Checking installation ✘ The `mysql` executable could not be found on your system. For help setting up your MySQL environment please follow the instructions for you platform at: https://www.mysql.com/downloads/ -> SQLite3: Checking installation ✓ The `sqlite3` executable was found on your system at: /home/codegoalie/workspace/android-sdk-linux/sdk/platform-tools/sqlite3 -> SQLite3: Checking minimum version requirements ✓ Your version of SQLite3, 3.22.0, meets the minimum requirements. -> Cockroach: Checking installation ✘ The `cockroach` executable could not be found on your system. For help setting up your Cockroach environment please follow the instructions for you platform at: https://www.cockroachlabs.com/docs/stable/ -> Buffalo (CLI): Checking installation ✓ The `buffalo` executable was found on your system at: /home/codegoalie/bin/buffalo -> Buffalo (CLI): Checking minimum version requirements ✓ Your version of Buffalo (CLI), v0.15.3, meets the minimum requirements. -> Buffalo: Application Details Pwd /home/codegoalie/workspace/funtimesapp Root /home/codegoalie/workspace/funtimesapp GoPath /home/codegoalie/workspace/go PackagePkg funtimesapp ActionsPkg funtimesapp/actions ModelsPkg funtimesapp/models GriftsPkg funtimesapp/grifts WithModules true Name funtimesapp Bin bin/funtimesapp VCS git WithPop true WithSQLite false WithDep false WithWebpack true WithNodeJs true WithYarn false WithDocker true WithGrifts true AsWeb true AsAPI false InApp true PackageJSON {map[build:webpack -p --progress dev:webpack --watch]} -> Buffalo: config/buffalo-app.toml name = "funtimesapp" bin = "bin/funtimesapp" vcs = "git" with_pop = true with_sqlite = false with_dep = false with_webpack = true with_nodejs = true with_yarn = false with_docker = true with_grifts = true as_web = true as_api = false -> Buffalo: config/buffalo-plugins.toml [[plugin]] binary = "buffalo-pop" go_get = "github.com/gobuffalo/buffalo-pop" -> Buffalo: go.mod module funtimesapp go 1.13 require ( github.com/gobuffalo/buffalo v0.15.3 github.com/gobuffalo/buffalo-pop v1.23.1 github.com/gobuffalo/envy v1.8.1 github.com/gobuffalo/mw-csrf v0.0.0-20190129204204-25460a055517 github.com/gobuffalo/mw-forcessl v0.0.0-20180802152810-73921ae7a130 github.com/gobuffalo/mw-i18n v0.0.0-20190129204410-552713a3ebb4 github.com/gobuffalo/mw-paramlogger v0.0.0-20190129202837-395da1998525 github.com/gobuffalo/packr/v2 v2.7.1 github.com/gobuffalo/pop v4.13.1+incompatible github.com/gobuffalo/suite v2.8.2+incompatible github.com/markbates/grift v1.5.0 github.com/unrolled/secure v0.0.0-20190103195806-76e6d4e9b90c ) ```
codegoalie commented 4 years ago

If this is something that's welcome, I'm happy to open a PR for it.

markbates commented 4 years ago

This is already fixed in development and will be in the next release.