This repository was archived by the owner on Aug 7, 2021. It is now read-only.
This repository was archived by the owner on Aug 7, 2021. It is now read-only.
Version 1.3.0 - serialize-javascript version has cross-site scripting vulnerability #1105
Open
Description
Version 1.3.0 gives me this NPM audit complaint
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Moderate Cross-Site Scripting
Package serialize-javascript
Patched in >=2.1.1
Dependency of nativescript-dev-webpack [dev]
Path nativescript-dev-webpack > copy-webpack-plugin > serialize-javascript
More info https://npmjs.com/advisories/1426
Moderate Cross-Site Scripting
Package serialize-javascript
Patched in >=2.1.1
Dependency of nativescript-dev-webpack [dev]
Path nativescript-dev-webpack > terser-webpack-plugin > serialize-javascript
More info https://npmjs.com/advisories/1426
Found 2 moderate severity vulnerabilities in 12279 scanned packages
2 vulnerabilities require manual review. See the full report for details.
Activity
PatrickLohan commentedon Dec 16, 2019
PatrickLohan commentedon Dec 18, 2019
7 days, any move on this? I could try to make a pull request?
Referenced: https://stackoverflow.com/questions/59389440/nativescript-dev-webpack-moderate-vulnerabilities
NickIliev commentedon Dec 18, 2019
@PatrickLohan the project is open-source. We are more thatn happy to receive PRs from contributors so feel free to post one. Let me know if you need assistance for the contributing part (see this MD for details)
PatrickLohan commentedon Dec 19, 2019
This would be my first non personal/work/fun PR so would appreciate the help (would like to have success and not break anything!). Would this require changing the offending package versions (copy-webpack-plugin and terser-webpack-plugin) only, and testing them?
fgutteridge commentedon Jan 13, 2020
Any updates?
PatrickLohan commentedon Jan 13, 2020
Hi @fgutteridge having never used the testing suite in the contributing guidelines I found it difficult to work out what was going wrong. Maybe someone else can take the baton, or give me some guidance?
daweedm commentedon Jun 17, 2020
won't just running
audit fix
be enough ?NathanaelA commentedon Jun 17, 2020
Well a couple things, their are test to make sure things don't break when dependencies (or PR's) are pushed. We are looking at trying to make the entire test system easier to pick up. Sometimes updates to dependencies breaks things, and so the tests will hopefully pick those issues up...
Second this
warning
is pretty much just an annoyance, if you are unaware this specific tool repo is only used during building. It (nor any of its dependencies) are not distributed with the app. So the audit issue has no bearing on anything since this code never actually goes anywhere to actually have any attack surface.dmytro-gokun commentedon Jun 17, 2020
My 5 cents: sometimes its a good idea to exclude auditing dev-only dependencies using "npm audit --production", though, as a purist, i would not do that personally :D