fix(terser): update serialize-javascript to ^7.0.5 to fix security vulnerabilities #1990
Description
Rollup Plugin Name: terser
This PR contains:
- bugfix
- feature
- refactor
- documentation
- other
Are tests included?
- yes (bugfixes and features will not be merged without tests)
- no (dependency update only)
Breaking Changes?
- yes (breaking changes will not be merged unless absolutely necessary)
- no
If yes, then include "BREAKING CHANGES:" in the first commit message body, followed by a description of what is breaking.
List any relevant issue numbers:
- Related: Vulnerability: Update dependency @rollup/plugin-terser@0.4.4 that relies on vulnerable version serialize-javascript <=7.0.2 GoogleChrome/workbox#3470
- GHSA-5c6j-r48x-rmvq
- GHSA-qj8w-gfj5-8c6v
Description
This PR updates serialize-javascript dependency from ^7.0.3 to ^7.0.5 to fix two security vulnerabilities:
-
GHSA-5c6j-r48x-rmvq (High severity): Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()
- Patched in: 7.0.3
-
GHSA-qj8w-gfj5-8c6v (Moderate severity): Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
- Patched in: 7.0.5
Impact on Downstream Libraries
This vulnerability affects multiple downstream libraries in the dependency chain:
serialize-javascript (vulnerable)
↓
@rollup/plugin-terser (uses serialize-javascript)
↓
workbox-build (uses @rollup/plugin-terser)
↓
vite-plugin-pwa (uses workbox-build)
- workbox-build: Uses
@rollup/plugin-terser@^0.4.3which depends onserialize-javascript@^6.0.1 - vite-plugin-pwa: Uses
workbox-buildwhich pulls in the vulnerable chain
Reference: GoogleChrome/workbox#3470
Fix
Update packages/terser/package.json:
- Change:
"serialize-javascript": "^7.0.3"→"serialize-javascript": "^7.0.5"