shakty
commented
2 years ago Hi,
Thanks for posting this. uglify-js is no longer used in the minified build of nodegame, we use terser-js for that. It should be removed as dependency and the build script should be updated.
@shakty I'm seeing the following and I was wondering if this is normal. Concerned about security here if there are perhaps alternate libraries that can be used to avoid vulernabilities. Seems like it's a NDDB dependency to use uglify?
uglify-js <=2.5.0 Severity: critical Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js - https://github.com/advisories/GHSA-34r7-q49f-h37c Regular Expression Denial of Service in uglify-js - https://github.com/advisories/GHSA-c9f4-xj24-8jqx fix available via
npm audit fix --forceWill install NDDB@0.4.2, which is a breaking change node_modules/uglify-js smoosh >=0.4.0 Depends on vulnerable versions of uglify-js node_modules/smoosh JSUS >=0.6.3 Depends on vulnerable versions of smoosh node_modules/JSUS NDDB >=0.4.3 Depends on vulnerable versions of JSUS Depends on vulnerable versions of smoosh node_modules/NDDB shelf.js >=0.3.7 Depends on vulnerable versions of smoosh node_modules/shelf.js5 critical severity vulnerabilities