-
Notifications
You must be signed in to change notification settings - Fork 820
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump "rollup-plugin-terser" dependency to v7.0.0 to fix "serialize-javascript" high security vulnerability #2601
Comments
Hey, we also need this to fix Docusaurus: Vulnerability: https://www.npmjs.com/advisories/1548 If that helps: here's the 7.0.0 release link: https://github.com/TrySound/rollup-plugin-terser/releases/tag/v7.0.0 |
I'll push out a new v6 alpha release of Workbox that includes this bumped dependency. Similar to #2319, we're stuck using older versions of |
Thanks. That's unfortunate, isn't rollup publishing a backport with the security fix? If we need to adopt workbox alpha to solve this security issue, how stable is it currently? |
These dependency updates are now out as part of https://github.com/GoogleChrome/workbox/releases/tag/v6.0.0-alpha.2 I don't see anything about a backport for the security update to older versions of Our alpha releases pass our full test suite, and there are relatively minor breaking changes between v5 and v6 in the current alphas. That being said, @philipwalton has some plans to change the I would selfishly like more folks to try out our alpha releases, just so that we get good usage prior to the final release, but I obviously don't want to pressure folks into doing that in order to get that security fix. If your project that uses Workbox v5 doesn't need to support Node v8.x, then you could consider using |
Thanks, We use a bit the PrecacheController directly, do you think it's likely to have breaking change? const precacheManifest = self.__WB_MANIFEST;
const controller = new PrecacheController();
controller.addToCacheList(precacheManifest);
self.addEventListener('install', (event) => {
event.waitUntil(controller.install());
});
self.addEventListener('activate', (event) => {
event.waitUntil(controller.activate());
});
self.addEventListener('fetch', async (event) => {
if (params.offlineMode) {
const requestURL = event.request.url;
const possibleURLs = getPossibleURLs(requestURL);
for (let i = 0; i < possibleURLs.length; i += 1) {
const possibleURL = possibleURLs[i];
const cacheKey = controller.getCacheKeyForURL(possibleURL);
if (cacheKey) {
if (params.debug) {
console.log('[Docusaurus-PWA][SW]: serving cached asset', {
requestURL,
possibleURL,
possibleURLs,
cacheKey,
});
}
event.respondWith(caches.match(cacheKey));
break;
}
}
}
}); |
@slorber In v6 we will likely require events to be passed to all strategies/handlers, and since That being said, given your usage above, I think you could simply your code since the const precacheManifest = self.__WB_MANIFEST;
const controller = new PrecacheController();
controller.precache(precacheManifest);
self.addEventListener('fetch', async (event) => {
if (params.offlineMode) {
const requestURL = event.request.url;
const possibleURLs = getPossibleURLs(requestURL);
for (let i = 0; i < possibleURLs.length; i += 1) {
const possibleURL = possibleURLs[i];
const cacheKey = controller.getCacheKeyForURL(possibleURL);
if (cacheKey) {
if (params.debug) {
console.log('[Docusaurus-PWA][SW]: serving cached asset', {
requestURL,
possibleURL,
possibleURLs,
cacheKey,
});
}
event.respondWith(caches.match(cacheKey));
break;
}
}
}
}); |
(Re-opening this issue for visibility.) |
Thanks, will try to upgrade to v6 but don't have time right now 🤪 |
To repeat something buried at the end of one of the other comments: for folks who don't need to maintain Node v8.x compatibility and would prefer not to try out the alpha releases of Workbox v6, it should be possible to use |
Hey @jeffposnick, Is it possible to make a new patch release on v5 to bump this package? I made it on this branch and it seems ok:
|
Ah, cool. Yes, I should be able to get a Workbox v5.1.4 out this week that includes (just) that updated |
Workbox |
thank you @jeffposnick :) |
Library Affected:
workbox-build
Browser & Platform:
All projects using workbox-build
Issue or Feature Request Description:
Bump "rollup-plugin-terser" dependency to v7.0.0 to fix "serialize-javascript" high security vulnerability
The text was updated successfully, but these errors were encountered: