Remote Code Execution Vulnerability to address.

[leifjones]

Library Affected:
workbox-webpack-plugin and workbox-build

Browser & Platform:
Just npm so far

Issue or Feature Request Description:
The workbox-webpack-plugin package v.5.1.3 (latest stable) depends on v.5.1.3 of workbox-build, which depends on v.^5.2.0 of rollup-plugin-terser, which depends on serialize-javascript v.^2.1.2.

There was a high-severity vulnerability announced last week recommending bumping serialize-javascript to >=3.1.0.

Request: Release a new version of workbox-webpack-plugin and workbox-build that uses to rollup-plugin-terser at least version 7.0.0 (first version with serialize-javascript >=3.1.0), so that the vulnerability is not exposed to users of workbox.

[jeffposnick]

Please see #2601 (comment)

[leifjones]

I acknowledge the bind that you all are in - tension between:

• v5 seemingly needing to support Node 8
• expectations of very high quality and reliability for release of v6
• seemingly insufficient use of v6 alphas to confidently to beta and GA

[jeffposnick]

FWIW, I've got pretty good confidence based on our test suite that the v6 alpha should work as expected. At this point, though, there are still some breaking changes that @philipwalton plans on implementing for v6 related to workbox-precaching, and we don't want to progress out of alpha to a beta or release candidate until we feel confident that the public interfaces are locked in.