razzle
razzle copied to clipboard
jaredpalmer
vulnerability with terser-webpack-plugin
Vulnerability: https://npmjs.com/advisories/565
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ssri │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=6.0.2 <7.0.0 || >=8.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ razzle [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ razzle > terser-webpack-plugin > cacache > ssri │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/565 │
└───────────────┴──────────────────────────────────────────────────────────────┘
It looks like the terser-webpack-plugin package has fixed this as of v6.0.2 (released on Apr 7th, 2021), but it looks like Razzle is currently on 2.x.
This would be quite the version bump, so I'll let you guys mull over the consequences of this.
Looking at the changelog (https://github.com/webpack-contrib/terser-webpack-plugin/blob/master/CHANGELOG.md) release 5.0.0 dropped support for webpack 4. Razzle still supports both 4.x and 5.x from what I can see..
I am thinking about doing a razzle 5.0 that has just webpack 5 support since yarn 2 etc. is more strict about deps. But keep features mostly in sync with razzle 4.0. Then people that want all the newest stuff can use 5.0.
Hello, is there any chance of this getting fixed soon? I've been updating dependencies of my Razzle project and finding more and more are using things like the optional chaining operator, which older versions of terser crash on. Bumping terser-webpack-plugin would solve the problem.
