Giters

halfzebra / create-elm-app

🍃 Create Elm apps with zero configuration

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Several high vulnerabilities CVE-2019-16772, CVE-2019-16769, CVE-2020-7660 are introduced in create-elm-app

ayaka-kms opened this issue · comments

commented

Hi, several high vulnerabilities CVE-2019-16772, CVE-2019-16769, CVE-2020-7660 are introduced in create-elm-app via:
● create-elm-app@5.22.0 ➔ uglifyjs-webpack-plugin@1.3.0 ➔ serialize-javascript@1.9.1

uglifyjs-webpack-plugin is a legacy package. It has not been maintained for about 2 years, and is not likely to be updated.
Is it possible to migrate uglifyjs-webpack-plugin to other package to remediate this vulnerability?

I noticed several migration records for uglifyjs-webpack-plugin in other js repos, such as

  1. in weaveworks-ui-components, version 0.22.5 ➔ 0.22.6, migrate from uglifyjs-webpack-plugin to terser-webpack-plugin via commit
  2. in immortal-db, version 1.0.3 ➔ 1.1.0, migrate from uglifyjs-webpack-plugin to terser-webpack-plugin via commit

Are there any efforts planned that would remediate this vulnerability or migrate uglifyjs-webpack-plugin?

Thanks
; )