Skip to content

npm reports security vulnerability in rollup-plugin-uglify -> serialize-javascript #9129

Description

@kring
                       === npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  High            Remote Code Execution

  Package         serialize-javascript

  Patched in      >=3.1.0

  Dependency of   rollup-plugin-uglify [dev]

  Path            rollup-plugin-uglify > serialize-javascript

  More info       https://npmjs.com/advisories/1548

found 1 high severity vulnerability in 917 scanned packages

Because rollup-plugin-uglify is only used at build time to serialize the rollup plugin's configuration, it is not actually a relevant security vulnerability for CesiumJS. However, it is a scary-looking message at npm install time, either from a release ZIP or from github (installing CesiumJS from npm is not affected because we won't get any devDependencies that way). We should fix it.

TrySound/rollup-plugin-uglify#85 will fix it, but we need to wait for the rollup-plugin-uglify maintainers to merge that PR and release a new version. npm doesn't have an easy way to override a dependency of a dependency (unlike yarn). Other options:

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions