uglifyjs-webpack-plugin security vulnerability

Question

I'm getting a security vulnerability on uglifyjs-webpack-plugin package

  Moderate        Cross-Site Scripting

  Package         serialize-javascript

  Patched in      >=2.1.1

  Dependency of   uglifyjs-webpack-plugin [dev]

  Path            uglifyjs-webpack-plugin > serialize-javascript

  More info       https://npmjs.com/advisories/1426

All the fixes I've come accrss suggest upgrading serialize-javascript to latest, but since I'm not using it directly, I'm not sure what to do here. Any ideas?

I'm using this version "uglifyjs-webpack-plugin": "^2.2.0"

Answer 1

Take a look at the package.json. The plugin has a dependency of "serialize-javascript": "^1.7.0" and caret range means that <2.0.0 will be downloaded, actually the last acceptable available version is 1.9.1, where the fix isn't presented.

Because the repository now is archived (considered deprecated), you could patch it by yourself or if it's possible to switch to the terser-webpack-plugin how documentation suggests.