Update serialize-javascript to 2.1.2+ to address CVE-2019-16772
Update serialize-javascript from 1.x (1.7.0) to 2.1.2+ to address CVE-2019-16772 (aka GHSA-h9rv-jmmf-4pgx)
Why not updating to the latest of 1.x
The latest version of serialize-javascript 1.x is 1.9.1. Version 1.9.1 still includes that vulnerability so we cannot use it: https://github.com/yahoo/serialize-javascript/blob/v1.9.1/index.js#L158
While maintenance requests on upstream is available but still looks pending after 4 weeks: https://github.com/yahoo/serialize-javascript/issues/66, as of 2020-01-06 we can use only 2.x with dependency updates of the following relevant packages.
Dependencies
-
compression-webpack-plugin (!22456 (merged)) -
copy-webpack-plugin (!22456 (merged)) -
webpack -> terser-webpack-plugin (!22452 (merged))
yarn why
[...]
=> Found "serialize-javascript@1.7.0"
info Reasons this module exists
- "compression-webpack-plugin" depends on it
- Hoisted from "compression-webpack-plugin#serialize-javascript"
- Hoisted from "copy-webpack-plugin#serialize-javascript"
- Hoisted from "webpack#terser-webpack-plugin#serialize-javascript"
info Disk size without dependencies: "24KB"
info Disk size with unique dependencies: "24KB"
info Disk size with transitive dependencies: "24KB"
info Number of shared dependencies: 0
Edited by Takuya Noguchi