Upgrade ts-jest and rollup-plugin-terser to fix vulnerabilities #803
Labels
problem: removed issue template
OP removed the issue template without good cause
scope: dependencies
Pull requests that update a dependency file
solution: duplicate
This issue or pull request already exists
topic: Jest 25
Related to Jest 25 upgrade
topic: Rollup 2
Related to Rollup 2 upgrade
Milestone
Comments
agilgur5
added
scope: dependencies
|
One is a duplicate of #797 which itself is a duplicate of #731 (comment), the other is a duplicate of #679 . Please use the search before filing issues The low severity is also from a testing dependency,
Neither of these are direct dependencies of TSDX, they're both two levels up upstream and both are breaking changes. |
agilgur5
added
the
problem: removed issue template
Repository owner
locked and limited conversation to collaborators
Aug 17, 2020
agilgur5
changed the title
agilgur5
changed the title
This was
linked to
pull requests
Aug 17, 2020
agilgur5
added
topic: Jest 25
ludofischer
added a commit
to ludofischer/tsdx
that referenced
this issue
Sep 29, 2020
- Update Rollup to 2.28.2. Fixes jaredpalmer#821, closes jaredpalmer#545 - Update @rollup/plugin-commonjs. Upgrading this required Rollup 2 without any note in the changelog. Closes jaredpalmer#727 - Update @rollup/plugin-json to 4.1.0. v4.0.3 is the first to add Rollup 2 in the peerDep range. Older versions are forward-compatible but will produce a peerDep warning - Update @rollup/plugin-replace to 2.3.3. v2.3.2 is the first version to add Rollup 2 in the peerDep range. - Update rollup-plugin-terser to v7. v6 requires rollup 2 and Node 10+. v7 introduces Terser 5, requires Node >= 10 and supports some new JS syntax. fixes jaredpalmer#803, #fixes 797, closes jaredpalmer#731 - Update rollup-plugin-postcss to 3.1. Closes jaredpalmer#693. - Remove sourcemap option from terser rollup plugin config, as of rollup-plugin-terser v6.0, it’s inferred automatically from Rollup’s output.source config.
aladdin-add
pushed a commit
to weiran-zsd/dts-cli
that referenced
this issue
Aug 30, 2021
- Update Rollup to 2.28.2. Fixes jaredpalmer#821, closes jaredpalmer#545 - Update @rollup/plugin-commonjs. Upgrading this required Rollup 2 without any note in the changelog. Closes jaredpalmer#727 - Update @rollup/plugin-json to 4.1.0. v4.0.3 is the first to add Rollup 2 in the peerDep range. Older versions are forward-compatible but will produce a peerDep warning - Update @rollup/plugin-replace to 2.3.3. v2.3.2 is the first version to add Rollup 2 in the peerDep range. - Update rollup-plugin-terser to v7. v6 requires rollup 2 and Node 10+. v7 introduces Terser 5, requires Node >= 10 and supports some new JS syntax. fixes jaredpalmer#803, #fixes 797, closes jaredpalmer#731 - Update rollup-plugin-postcss to 3.1. Closes jaredpalmer#693. - Remove sourcemap option from terser rollup plugin config, as of rollup-plugin-terser v6.0, it’s inferred automatically from Rollup’s output.source config.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
In my project using the v0.13.2, when running
npm auditI get security alerts coming from tsdx dependenciesUpgrading those dependencies should fix the problem
Full details
➜ npm audit === npm audit security report === ┌──────────────────────────────────────────────────────────────────────────────┐ │ Manual Review │ │ Some vulnerabilities require your attention to resolve │ │ │ │ Visit https://go.npm.me/audit-guide for additional guidance │ └──────────────────────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Low │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ yargs-parser │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ tsdx [dev] │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ tsdx > ts-jest > yargs-parser │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/1500 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Remote Code Execution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ serialize-javascript │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=3.1.0 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ tsdx [dev] │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ tsdx > rollup-plugin-terser > serialize-javascript │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/1548 │ └───────────────┴──────────────────────────────────────────────────────────────┘ found 2 vulnerabilities (1 low, 1 high) in 1108 scanned packages 2 vulnerabilities require manual review. See the full report for details.The text was updated successfully, but these errors were encountered: