Skip to content
This repository was archived by the owner on Aug 7, 2021. It is now read-only.
This repository was archived by the owner on Aug 7, 2021. It is now read-only.

Version 1.3.0 - serialize-javascript version has cross-site scripting vulnerability #1105

Open
@joshstallnick

Description

@joshstallnick

Version 1.3.0 gives me this NPM audit complaint

                 === npm audit security report ===                     
                                                                        
                                                                        
                            Manual Review                               
        Some vulnerabilities require your attention to resolve          
                                                                        
     Visit https://go.npm.me/audit-guide for additional guidance        
                                                                            
                                                                            
 Moderate        Cross-Site Scripting                                       
                                                                            
 Package         serialize-javascript                                       
                                                                            
 Patched in      >=2.1.1                                                    
                                                                        
 Dependency of nativescript-dev-webpack [dev]                             
                                                                        
 Path            nativescript-dev-webpack > copy-webpack-plugin >  serialize-javascript                                       
                                                                            
 More info       https://npmjs.com/advisories/1426                          
                                                                            
                                                                            
 Moderate        Cross-Site Scripting                                       
                                                                            
 Package         serialize-javascript                                       
                                                                            
 Patched in      >=2.1.1                                                    
                                                                            
 Dependency of   nativescript-dev-webpack [dev]                             
                                                                            
 Path            nativescript-dev-webpack > terser-webpack-plugin >  serialize-javascript                                       
                                                                        
 More info       https://npmjs.com/advisories/1426                          
                                                                        
Found 2 moderate severity vulnerabilities in 12279 scanned packages          
 2 vulnerabilities require manual review. See the full report for details.  

Activity

PatrickLohan

PatrickLohan commented on Dec 16, 2019

@PatrickLohan
PatrickLohan

PatrickLohan commented on Dec 18, 2019

@PatrickLohan

7 days, any move on this? I could try to make a pull request?

Referenced: https://stackoverflow.com/questions/59389440/nativescript-dev-webpack-moderate-vulnerabilities

NickIliev

NickIliev commented on Dec 18, 2019

@NickIliev
Contributor

@PatrickLohan the project is open-source. We are more thatn happy to receive PRs from contributors so feel free to post one. Let me know if you need assistance for the contributing part (see this MD for details)

PatrickLohan

PatrickLohan commented on Dec 19, 2019

@PatrickLohan

@PatrickLohan the project is open-source. We are more thatn happy to receive PRs from contributors so feel free to post one. Let me know if you need assistance for the contributing part (see this MD for details)

This would be my first non personal/work/fun PR so would appreciate the help (would like to have success and not break anything!). Would this require changing the offending package versions (copy-webpack-plugin and terser-webpack-plugin) only, and testing them?

fgutteridge

fgutteridge commented on Jan 13, 2020

@fgutteridge

Any updates?

PatrickLohan

PatrickLohan commented on Jan 13, 2020

@PatrickLohan

Hi @fgutteridge having never used the testing suite in the contributing guidelines I found it difficult to work out what was going wrong. Maybe someone else can take the baton, or give me some guidance?

daweedm

daweedm commented on Jun 17, 2020

@daweedm

won't just running audit fix be enough ?

NathanaelA

NathanaelA commented on Jun 17, 2020

@NathanaelA

Well a couple things, their are test to make sure things don't break when dependencies (or PR's) are pushed. We are looking at trying to make the entire test system easier to pick up. Sometimes updates to dependencies breaks things, and so the tests will hopefully pick those issues up...

Second this warning is pretty much just an annoyance, if you are unaware this specific tool repo is only used during building. It (nor any of its dependencies) are not distributed with the app. So the audit issue has no bearing on anything since this code never actually goes anywhere to actually have any attack surface.

dmytro-gokun

dmytro-gokun commented on Jun 17, 2020

@dmytro-gokun

My 5 cents: sometimes its a good idea to exclude auditing dev-only dependencies using "npm audit --production", though, as a purist, i would not do that personally :D

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @dmytro-gokun@NathanaelA@daweedm@fgutteridge@NickIliev

        Issue actions

          Version 1.3.0 - serialize-javascript version has cross-site scripting vulnerability · Issue #1105 · NativeScript/nativescript-dev-webpack