brotli-webpack-plugin icon indicating copy to clipboard operation
brotli-webpack-plugin copied to clipboard

Published 20 hours ago verified publisher icon mynameiswhm

High risk vulnerability in dependencies

Open gabor-at-reed opened this issue 4 years ago • 3 comments

Hi there,

Currently, npm audit marks this package as high risk one, because one of this dependency has "Remote Memory Exposure" risk.

  High            Remote Memory Exposure

  Package         bl

  Dependency of   brotli-webpack-plugin [dev]

  Path            brotli-webpack-plugin > iltorb > prebuild-install > tar-fs >
                  tar-stream > bl

  More info       https://npmjs.com/advisories/1555

gabor-at-reed avatar Nov 02 '20 13:11 gabor-at-reed

@mynameiswhm could you update the package?

sayjeyhi avatar Nov 22 '20 19:11 sayjeyhi

It would be better if itorb could be removed. There is a vulnerability in rc package which is a transitive dependency of itorb. I see a PR that had been already sent to remove the dependency. Better if that could be merged.

brionmario avatar Nov 09 '21 05:11 brionmario

Since the plugin seems to be abandoned, I followed the official documentation and migrated to the compression-webpack-plugin for Brotli compression.

https://webpack.js.org/plugins/compression-webpack-plugin/#using-brotli

brionmario avatar Mar 14 '22 11:03 brionmario