Closed greenkeeper[bot] closed 4 years ago
greenkeeper[bot]
commented
4 years ago π¨ Reminder! Less than one month left to migrate your repositories over to Snyk before Greenkeeper says goodbye on June 3rd! π ππ¨ π
Find out how to migrate to Snyk at greenkeeper.io
dependency rollup-plugin-terser was updated from 5.3.0 to 6.0.1.greenkeeper[bot]
commented
4 years ago π¨ Reminder! Less than one month left to migrate your repositories over to Snyk before Greenkeeper says goodbye on June 3rd! π ππ¨ π
Find out how to migrate to Snyk at greenkeeper.io
dependency rollup-plugin-terser was updated from 5.3.0 to 6.1.0.
dclark27
commented
4 years ago We've gotta get this upgraded -- there is now a high vulnerability on 5.3.0.
βββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β High β Remote Code Execution β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Package β serialize-javascript β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Patched in β >=3.1.0 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Dependency of β tsdx [dev] β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Path β tsdx > rollup-plugin-terser > serialize-javascript β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β More info β https://npmjs.com/advisories/1548 β
βββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
agilgur5
commented
4 years ago @dclark27 thanks for the note. 6.0 is a breaking change and fails tests here. It also requires both Node 10+ (planned for v0.14.0) and Rollup v2 (not yet planned, that requires updating a lot of Rollup plugins, which wasn't possible a few months ago). That advisory is from today so I would not expect an immediate response on that.
If you need to update immediately, you could probably override the version in tsdx.config.js, but I'm not sure how that'll interact with everything else... the Rollup version is the big blocker
dclark27
commented
4 years ago @agilgur5 Sounds good! I'll take a look in the morning and see if there is any way to get something out in the meantime.
Buuntu
commented
4 years ago Any update on this vulnerability? Or a workaround in the meantime?
agilgur5
commented
4 years ago FYI from https://github.com/developit/microbundle/issues/695#issuecomment-672934050:
[
serialize-javascriptis] only used for Terser's<script>option, which isn't in use here.
Still looking to upgrade Rollup et al to v2 soon, but it'll make v0.14.0 a good bit more breaking, so may hold off on it till v0.15.0
Yurickh
commented
4 years ago FYI, rollup-plugin-terser has released a patch with version 5.3.1 that updates serialize-javascript, which hopefully fixes the vulnerability and doesn't require a breaking change. :)~
edit: in fact, since 5.3.1 is covered by the current version range, consumers can get rid of the warning themselves π
agilgur5
commented
4 years ago Nice catch @Yurickh, so no need for TSDX to do anything then as this has been resolved upstream and we only pin the major version.
If you want to get rid of this warning (TSDX isn't susceptible to the vulnerability per my previous comment), then update your yarn.lock to set rollup-plugin-terser to 5.3.1 and just re-run yarn. Equivalent for NPM is edit package-lock.json and run `npm install
Yurickh
commented
4 years ago You can also avoid the lock hash conflicts by removing and re-adding tsdx (effectively reinstalling), as this will get you the most up-to-date version matching the version range of its dependencies.
agilgur5
commented
4 years ago Superseded by #889
π¨ Reminder! Less than one month left to migrate your repositories over to Snyk before Greenkeeper says goodbye on June 3rd! π ππ¨ π
Find out how to migrate to Snyk at greenkeeper.io
The dependency rollup-plugin-terser was updated from
5.3.0to6.0.0.This version is not covered by your current version range.
If you donβt accept this pull request, your project will work just like it did before. However, you might be missing out on a bunch of new features, fixes and/or performance improvements from the dependency update.
Publisher: trysound License: MIT
Find out more about this release.
FAQ and help
There is a collection of [frequently asked questions](https://greenkeeper.io/faq.html). If those donβt help, you can always [ask the humans behind Greenkeeper](https://github.com/greenkeeperio/greenkeeper/issues/new).Your Greenkeeper bot :palm_tree: