Security vulnerability serialize-javascript versions < 2.1.1 #4
Labels
dependencies
Pull requests that update a dependency file
Comments
carpiediem
added a commit
to carpiediem/create-react-app
that referenced
this issue
Aug 14, 2020
Addresses security issue with serialize-javascript facebook#8100 PicnicSupermarket/picnic-lunch-and-learn#4 https://github.com/webpack-contrib/terser-webpack-plugin/releases/tag/v3.0.3
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently we are using
serialize-javascriptversions below 2.1.1, which are considered to be a security risk. We do not use this dependency explicitly ourselves, but it is being pulled in byreact-scripts. Upgrading the version ofreact-scriptto the lastest one moves mostserialize-javascriptversions used to >= 2.1.1, except for one, where it is only moved to version 2.1.0.This happens because
react-scriptsuseswebpack, which in turn usescreate-react-app, which have not bumped the version ofserialize-javascriptthey used yet. A ticket has already been filed for this here.Once this ticket has been closed we should be able to bump our version
react-scriptsand no longer depend on any version ofserialize-javascriptbelow 2.1.1.The text was updated successfully, but these errors were encountered: