high severity vulnerability in package serialize-javascript
PierreMano opened this issue · comments
Visit https://go.npm.me/audit-guide for additional guidance
High Remote Code Execution
Package serialize-javascript
Patched in >=3.1.0
Dependency of react-scripts
Path react-scripts > terser-webpack-plugin > serialize-javascript
More info https://npmjs.com/advisories/1548
Please rise the issue here https://github.com/facebook/create-react-app. React-scripts should upgrade terser plugin.
@PierreMano This is the repository for serialize-javascript. A patched version of serialize-javascript is already available, so if you are using an outdated version, please upgrade to the latest version.
Thanks for the reply, i will try to update but i think i have already did it! If the problem persists i will rise the issue on the other link!
You can edit your messages. Do not need to spam.
- The advisor wrongly says:
{"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"} was serialized as {"foo": /1"/, "bar": "a\/1"/}
This is not true since the version: 2.1.0 or so. The regex is serialized as new RegExp("(1\")", "")
.
So it will look like:
{"foo": new RegExp("(1\")", ""), "bar": "a\new RegExp("(1\")", "")}
Now, if the issue still happens with this taken into account I don't know.
- Also the advisor says:
to inject arbitrary code via the function "deleteFunctions"
But the issue seems to have nothing with this function.
Hello, I'm also receiving this vulnerability warning using Vue-WebPack. I've updated to serialize-javascript@4.0.0 with no luck in resolution. Apologies if this is the wrong place to raise this especially since it is closed. I'm not sure where else I should go at this time.
Here is the message
High Remote Code Execution
Package serialize-javascript
Patched in >=3.1.0
Dependency of @vue/cli-service [dev]
Path @vue/cli-service > copy-webpack-plugin >
serialize-javascript
More info https://npmjs.com/advisories/1548
My package.json:
"dependencies": {
"axios": "^0.19.2",
"bootstrap": "^4.5.2",
"bootstrap-vue": "^2.16.0",
"core-js": "^3.6.5",
"serialize-javascript": "^4.0.0",[...]
@ImmortalTreearms It has been fixed in this package. And the intermediate copy-webpack-plugin did made an update to the version of serialize-javascript without the bug.
You need to open an issue in https://github.com/vuejs/vue-cli/issues to tell them that because of security issue they have to update their copy-webpack-plugin dependency.