fix: eliminate the serialize-javascript vulnerability warning #5829
Conversation
By switching to a fork of copy-webpack-plugin v5, so that we can circumvent the issue in a non-semver-breaking way. Fixes vuejs#5782
| serialize-javascript "^4.0.0" | ||
| webpack-log "^2.0.0" | ||
| | ||
| copy-webpack-plugin@^5.0.2: |
There was a problem hiding this comment.
Thanks for the pr.
Do you know why there is a second copy-webpack-plugin here?
There was a problem hiding this comment.
It comes from vuepress, which is used to deploy the documentation.
| "clipboardy": "^2.3.0", | ||
| "cliui": "^6.0.0", | ||
| "copy-webpack-plugin": "^5.1.1", | ||
| "copy-webpack-plugin-v5": "^5.1.2", |
There was a problem hiding this comment.
Maybe an idea to make this a fixed version, because of security.
But I don't know.
alexander-akait left a comment
alexander-akait left a comment There was a problem hiding this comment.
I strongly do not recommend do it
| So maybe it would be better to do the Update and Migration? |
Why? |
| @peteruithoven We can do it in |
| @evilebottnawi it's hard to update because Vue CLI allows users to tap into the I do plan to update it in the next major, but that would take another 2 to 3 months before being stable. It would certainly be better if a release can be made in the upstream package to address this issue. |
| @sodatea let's do security release |
| @evilebottnawi Thanks! |
| Thanks! :) |
4 participants
By switching to a fork of copy-webpack-plugin v5, so that we can
circumvent the issue in a non-semver-breaking way.
Fixes #5782
What kind of change does this PR introduce? (check at least one)
Does this PR introduce a breaking change? (check one)
Other information: