Update uglify-es dependency to use maintained terser module

[fabiosantoscode]

I'm updating the uglify-es dependency to the new fork, which is now named terser

[jsf-clabot]

All committers have signed the CLA.

[alexander-akait]

@fabiosantoscode thanks for PR. Great!

[alexander-akait]

@fabiosantoscode any breaking changes between abandoned uglify-es, should we do major release?

[fabiosantoscode]

There are no breaking changes!

[kzc]

For security reasons it is not recommended to use terser until the npm package ownership issue is resolved:

terser/terser#2 (comment)

All changes to CHANGELOG.md should be reverted - shouldn't change historical references of uglify-es versions to terser retroactively.

[alexander-akait]

@kzc thanks for feedback 👍

[fabiosantoscode]

The issue has been resolved.

[alexander-akait]

@fabiosantoscode what issue? BTW great 👍

[kzc]

Shouldn't change historical references of uglify-es versions to terser retroactively.

[kzc]

ditto

[kzc]

ditto

[kzc]

ditto

[kzc]

ditto

[kzc]

Shouldn't change historical references of uglify-es versions to terser retroactively.

[fabiosantoscode]

Thanks for these! I wasn't being careful enough :/

[alexander-akait]

/cc @fabiosantoscode need do changes above

[irae]

This feels like a major change community wise. Should the PR be named something like "Move UglifyJS-ES to Terser fork". I don't feel quite comfortable calling it just an "update".

Another approach I would suggest and feel more comfortable with would be a multi step phased approach: First create terser-webpack-plugin (bonus points for having your own readme, goals, community model, website, etc.). Then make a new PR here adding a deprecation notice in favor of terser. Lastly, if adoption is too slow, just require the new terser-webpack-plugin from this one, leaving the warning behind.

Security awareness is growing strong in the community, and replacing core dependencies without user knowledge feels a bit against the current trend.

[alexander-akait]

@irae we don't have time on creating new plugin, also terser it is fork uglify-es without breaking change (i.e. it is safe).

Also for webpack@5 we release MinimizerWebpackPlugin support out of box cache/parallel/source maps with support build-in uglify-js, babel-minify and terser minimizers, also allow to using own minimizer, example for css, images and etc.

Creating new plugin will only result in a loss of time. I have been helping a lot of times for webpack/webpack-contrib and i know that no one will create this plugin.

[irae]

I was under the impression that creating a new plugin could just be copy/paste (or cp -r ./old ./new) of the existing plugin and renaming it in some places and documenting it in others. The changelog could start fresh with the first changes and a link to the old changelog.

I trust you when you say there are no breaking changes. Tests will pass, everything is fine in the automation part. But when auditing code, thats only part of the job. People will see the core dependency changing and will be more skeptical than I am. Some people will notice, some other people will get warns from security automation tools.

I used to work at a large corporation and this kind of changes happens to go through a lot of scrutiny. The usual outcome of this kind of changes is to pin to an older minor release and move on, because it is much more work to whitelist new packages with security teams and open source legal team.

My point is not about all the work work it takes or making it harder for no reason. It is about how much people trust on the work you've done and about being honest with the community. If I search for UglifyJS on the web I won't find terser website or the terser fork of uglify. I will find the actual uglify-js, old school and es5 that don't mention terser at all.

It was quite confusing to to me to find out that uglifyjs-es was a branch of uglify-js and later find a fork under a different username/organization was actually working on more features. It gave me a lot of trouble to understand this was not a security breach and I am only 85% certain at this point.

I might be wrong here, or overreacting. Feel free to move on and change the dependency.
I pinned all my versions and at some point I'll re-evaluate my decisions.

[alexander-akait]

@irae even copy/paste require time, I understand perfectly what you are talking here, but unfortunately at the moment only two developers works in webpack-contrib constantly and creating new plugins require time, also it is require maintenance time, many people constantly using this plugin.

We constantly receive issue about problem with uglify and inline compression in webpack repo. Creating new plugin require change default minimizer plugin (now it is uglify) in webpack (i.e. breaking change for webpack).

We have a choice:

1. Leave all as is and leave all problems in many projects with minification (i.e. just tell people that nothing is going to fix).
2. Create new plugin, change this in webpack and release major version (require around 2-3 month).
3. Merge this and fix many problems in many projects (as i said above terser doesn't have incompatibilities with uglify-es, just fixes).

[kzc]

When #308 lands this terser PR should be rebased and disabling the inline compress option should be reverted, as bugs related to it have been fixed in terser.

[kzc]

@fabiosantoscode The inline compress option override from #308 should be reverted as there are no known bugs associated with the default inline compress setting in terser:

uglifyjs-webpack-plugin/src/index.js

Lines 45 to 47 in 4f50156

	compress: {
	inline: 1,
	},

[fabiosantoscode]

@kzc I would much rather let someone else do that, as that commit's changes also touch the tests, docs and other parts of the codebase, not all of those changes are undesirable, and it is a bit out of scope for this PR.

[timdorr]

BTW, since I'm running into issues with this and am impatient, I published this PR as-is in a scoped package on npm for others to use: https://www.npmjs.com/package/@salesloft/terser-webpack-plugin

[DeTeam]

@fabiosantoscode do you think there's any chance getting these changes out there in webpack npm package? :)

[fabiosantoscode]

@DeTeam I can't see why not use @timdorr's version of the package in the meantime.

[alexander-akait]

Close in favor https://github.com/webpack-contrib/terser-webpack-plugin, feel free to feedback and create new issues