X Tutup
The Wayback Machine - https://web.archive.org/web/20201209134944/https://github.com/developit/microbundle/issues/695
Skip to content

/ microbundle

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update `serialize-javascript` dependency #695

Open
tywmick opened this issue Aug 12, 2020 · 4 comments
Open

Update `serialize-javascript` dependency #695

tywmick opened this issue Aug 12, 2020 · 4 comments
Assignees
@wardpeet
Labels
upstream

Comments

@tywmick
Copy link

@tywmick tywmick commented Aug 12, 2020
edited

Hello! I just installed Microbundle in my project, but after I did so (npm i --save-dev microbundle), npm told me that it introduced the following high severity vulnerability:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Remote Code Execution                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ serialize-javascript                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ microbundle [dev]                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ microbundle > rollup-plugin-terser > serialize-javascript    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1548                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

Here are the specific version numbers that got installed:

└─┬ microbundle@0.12.3
  └─┬ rollup-plugin-terser@5.3.0
    └── serialize-javascript@2.1.2

Is this remote code execution vulnerability something I should be worried about, or does it not apply to Microbundle?

Being that this vulnerability is fixed in serialize-javascript >=3.1.0, it looks like updating rollup-plugin-terser to at least 6.0.0 would update serialize-javascript to a safe version. I tried forking Microbundle, updating rollup-plugin-terser to 7.0.0, crossing my fingers, and running the tests, but unfortunately, the tests failed, so some breaking change must be getting in the way.
@tywmick
Copy link
Author

@tywmick tywmick commented Aug 12, 2020

Here are the release notes for the last few versions of rollup-plugin-terser, in case it helps:

v7.0.0

Upgraded to terser 5 (thanks to @‌chicoxyzzy) and serialize-javascript 4

v6.1.0

Added support for native es modules in node. Now this works with "type": "module" in package.json.

rollup.config.mjs

import { terser } from 'rollup-plugin-terser';
export default {
  ...
}

v6.0.0

  • node.js < v10 support is dropped
  • rollup < v2 support is dropped
  • sourcemap option is inferred from rollup options, please remove from your config
  • include/exclude options are dropped in favour of output plugins, see here
@wardpeet
Copy link
Collaborator

@wardpeet wardpeet commented Aug 12, 2020

We're currently waiting for egoist/rollup-plugin-postcss#295 to land so we can upgrade rollup and all our dependencies.

Microbundle is a dev dependency so you shouldn't be too afraid of remote code execution as it's not running while your app is running.
@developit
Copy link
Owner

@developit developit commented Aug 12, 2020
edited

Indeed, this is technically unused code since serialize-javascript is not actually executed at any point by Microbundle's usage of Terser. It's only used for Terser's <script> option, which isn't in use here.

I've changed the issue title to reflect the fact that this is neither a vulnerability nor high severity for Microbundle.
@developit developit changed the title High severity vulnerability caused by serialize-javascript Update `serialize-javascript` dependency Aug 12, 2020
@tywmick
Copy link
Author

@tywmick tywmick commented Aug 12, 2020
edited

Awesome, thanks for the reassurance! 😅
@wardpeet wardpeet linked a pull request that will close this issue Aug 16, 2020
chore: upgrade all dependencies #680
Closed
@wardpeet wardpeet self-assigned this Aug 16, 2020
@agilgur5 agilgur5 mentioned this issue Aug 24, 2020
Closed
@wardpeet wardpeet mentioned this issue Sep 2, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wardpeet wardpeet

Labels
upstream
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

chore: upgrade all dependencies
3 participants
@developit @wardpeet @tywmick
You can’t perform that action at this time.
X Tutup