Update serialize-javascript dependency

[TyMick]

Hello! I just installed Microbundle in my project, but after I did so (npm i --save-dev microbundle), npm told me that it introduced the following high severity vulnerability:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Remote Code Execution                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ serialize-javascript                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ microbundle [dev]                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ microbundle > rollup-plugin-terser > serialize-javascript    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1548                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

Here are the specific version numbers that got installed:

└─┬ microbundle@0.12.3
  └─┬ rollup-plugin-terser@5.3.0
    └── serialize-javascript@2.1.2 

Is this remote code execution vulnerability something I should be worried about, or does it not apply to Microbundle?

Being that this vulnerability is fixed in serialize-javascript >=3.1.0, it looks like updating rollup-plugin-terser to at least 6.0.0 would update serialize-javascript to a safe version. I tried forking Microbundle, updating rollup-plugin-terser to 7.0.0, crossing my fingers, and running the tests, but unfortunately, the tests failed, so some breaking change must be getting in the way.

[TyMick]

Here are the release notes for the last few versions of rollup-plugin-terser, in case it helps:

v7.0.0

Upgraded to terser 5 (thanks to @‌chicoxyzzy) and serialize-javascript 4

v6.1.0

Added support for native es modules in node. Now this works with "type": "module" in package.json.

rollup.config.mjs

import { terser } from 'rollup-plugin-terser';
export default {
  ...
}

v6.0.0

• node.js < v10 support is dropped
• rollup < v2 support is dropped
• sourcemap option is inferred from rollup options, please remove from your config
• include/exclude options are dropped in favour of output plugins, see here

[wardpeet]

We're currently waiting for egoist/rollup-plugin-postcss#295 to land so we can upgrade rollup and all our dependencies.

Microbundle is a dev dependency so you shouldn't be too afraid of remote code execution as it's not running while your app is running.

[developit]

Indeed, this is technically unused code since serialize-javascript is not actually executed at any point by Microbundle's usage of Terser. It's only used for Terser's <script> option, which isn't in use here.

I've changed the issue title to reflect the fact that this is neither a vulnerability nor high severity for Microbundle.

[TyMick]

Awesome, thanks for the reassurance! 😅

[developit]

Fixed in #738.