plugins icon indicating copy to clipboard operation
plugins copied to clipboard
verified publisher icon rollup

fix(terser): upgrade serialize-javascript

Open krausvo1 opened this issue 1 month ago • 11 comments

Rollup Plugin Name: terser

This PR contains:

  • [ ] bugfix
  • [ ] feature
  • [ ] refactor
  • [ ] documentation
  • [x] other

Are tests included?

  • [ ] yes (bugfixes and features will not be merged without tests)
  • [x] no

Breaking Changes?

  • [ ] yes (breaking changes will not be merged unless absolutely necessary)
  • [x] no

If yes, then include "BREAKING CHANGES:" in the first commit message body, followed by a description of what is breaking.

List any relevant issue numbers:

Description

This PR bumps serialize-javascript from 6.0.1 to 6.0.2 which includes XSS vulnerability fix. There are no breaking changes in 6.0.2.

krausvo1 avatar Oct 27 '25 10:10 krausvo1

Your file was detected in my bun.lock as vulnerable to XSS attacks. "rollup-plugin-terser/serialize-javascript": ["[email protected]", "", { "dependencies": { "randombytes": "^2.1.0" } }, "sha512-GaNA54380uFefWghODBWEGisLZFj00nS5ACs6yHa9nLqlLpVLO8ChDGeKRjZnV4Nh4n0Qi7nhYZD/9fCPzEqkw=="],

Please update this library, rollup-plugin-terser/serialize-javascript, to remove the XSS threat.

agentHits avatar Oct 27 '25 14:10 agentHits

image

agentHits avatar Oct 27 '25 15:10 agentHits

https://www.mend.io/vulnerability-database/CVE-2024-11831?utm_source=JetBrains

agentHits avatar Oct 27 '25 15:10 agentHits

@krausvo1 if agentHits is your bot please remove it.

shellscape avatar Oct 27 '25 15:10 shellscape

@krausvo1 if agentHits is your bot please remove it.

It is not, never seen this thing before.

krausvo1 avatar Oct 27 '25 15:10 krausvo1

@krausvo1 if agentHits is your bot please remove it.

You're burning out, bot. Update the library. My Webstorm is complaining that your library could be vulnerable to an XSS attack.

I wrote it here for you

image

agentHits avatar Oct 27 '25 15:10 agentHits

@agentHits please cease commenting on this PR.

shellscape avatar Oct 27 '25 15:10 shellscape

@krausvo1 this update is causing a panic in the tests. check out the failing workflow:

FATAL ERROR: v8::FromJust Maybe value is Nothing.

shellscape avatar Oct 27 '25 16:10 shellscape

@CharlieHelps please analyze the failing Node 18 test and the dependency that was updated in this PR, and share any findings as to why that v8 error is being thrown between the two versions of the dependency that is being updated.

shellscape avatar Oct 27 '25 16:10 shellscape

This issue feels a little out of my league tbh and I have no idea why my changes would cause this issue.

This is what I was able to find out so far:

  • I was able to reproduce the issue locally by running the terser package tests with Node 18.20.8
  • I was able to fix the issue by disabling worker threads when running the terser package tests (e.g. via ava configuration in terser/package.json)
    • I honestly cannot say why this works and even if it makes sense for this package, but I have noticed that most of the other packages' tests also run with worker threads disabled
    • from ava docs:

      • workerThreads: use worker threads to run tests (enabled by default). If false, tests will run in child processes

Do you think it makes sense to disable worker threads for terser's tests?

krausvo1 avatar Oct 29 '25 14:10 krausvo1

Totally understand. I'm going to see if I can use an agent to move the tests to vitest and off of Ava (it's gotten worse over the years, while vitest has gotten better). Will keep this one open.

shellscape avatar Oct 29 '25 15:10 shellscape