Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dependency warning on "serialize-javascript" #3268

Closed
aimaj-anz opened this issue Aug 11, 2020 · 7 comments 路 Fixed by #3282
Closed

dependency warning on "serialize-javascript" #3268

aimaj-anz opened this issue Aug 11, 2020 · 7 comments 路 Fixed by #3282
Labels
bug An error in the Docusaurus core causing instability or issues with its execution

Comments

@aimaj-anz
Copy link

馃悰 Bug Report

doing a clean yarn install of latest version, and yarn audit returns some vulnerability warnings:
https://www.npmjs.com/advisories/1548

Have you read the Contributing Guidelines on issues?

yes

To Reproduce

  1. create new project
  2. yarn install @docusaurus/core^2.0.0-alpha.61 and/or @docusaurus/preset-classic^2.0.0-alpha.61
  3. yarn audit
  4. view warnings

Expected behavior

No audit warnings

Actual Behavior

6 audit warnings

image

Your Environment

  • mac OS
  • "@docusaurus/core": "^2.0.0-alpha.61"
  • "@docusaurus/preset-classic": "^2.0.0-alpha.61"

Reproducible Demo

N/A
@aimaj-anz aimaj-anz added bug An error in the Docusaurus core causing instability or issues with its execution status: needs triage This issue has not been triaged by maintainers labels Aug 11, 2020
@slorber
Copy link
Collaborator

slorber commented Aug 12, 2020

Thanks, will take a look at this soon.

@slorber slorber mentioned this issue Aug 12, 2020
Merged
@slorber
Copy link
Collaborator

slorber commented Aug 12, 2020

fixed by #3265

@slorber slorber closed this as completed Aug 12, 2020
@temannin
Copy link

temannin commented Aug 12, 2020
edited

@slorber , I do not believe #3265 fixes the issue. The audit report references copy-webpack-plugin and not terser-webpack-plugin.

@dschaller
Copy link
Contributor

dschaller commented Aug 12, 2020
edited

There is an additional update needed for webpack and copy-webpack-plugin. The minimum version of webpack required to patch the vulnerability is 5 which requires updating a few other dependencies who have a peer dependency on webpack@4.

It looks like the following packages all have a peer dependency of webpack@4:

warning " > webpack-dev-middleware@3.7.2" has unmet peer dependency "webpack@^4.0.0".
warning " > cache-loader@4.1.0" has unmet peer dependency "webpack@^4.0.0".
warning " > optimize-css-assets-webpack-plugin@5.0.3" has unmet peer dependency "webpack@^4.0.0".

I've started a branch to upgrade these dependencies and their peers here

@slorber slorber reopened this Aug 14, 2020
This was referenced Aug 14, 2020
Closed
Merged
@slorber slorber linked a pull request Aug 14, 2020 that will close this issue
chore(v2): fix javascript-serialize vulnerability #3282
Merged
@slorber
Copy link
Collaborator

slorber commented Aug 14, 2020

Hey, I'm upgrading the copy plugin here: #3282 to solve this issue.

We also have to upgrade the workbox-build package in the pwa plugin, when they upgrade here: GoogleChrome/workbox#2601 (but this is less likely to affect many D2 users)

@dschaller I don't understand why you think we need to upgrade to Webpack 5?

@slorber
Copy link
Collaborator

slorber commented Aug 14, 2020

Let's keep it open until we are sure it is really fixed + the pwa plugin is also fixed

@slorber slorber reopened this Aug 14, 2020
@dschaller
Copy link
Contributor

@slorber I recall seeing some of the updated packages having a peer dependency of >webpack@5. I could have misread that though.

@slorber slorber mentioned this issue Sep 11, 2020
Merged
@slorber slorber closed this as completed Oct 12, 2020
@Josh-Cena Josh-Cena removed the status: needs triage This issue has not been triaged by maintainers label Mar 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug An error in the Docusaurus core causing instability or issues with its execution
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(v2): fix javascript-serialize vulnerability facebook/docusaurus
5 participants
@slorber @dschaller @temannin @Josh-Cena @aimaj-anz