Skip to content

Commit b5a4c27

Browse files
authored
fix: upgrade @rollup/plugin-terser to fix serialize-javascript vulnerability (#398)
**Requirements** - [x] I have added test coverage for new or changed functionality - [x] I have followed the repository's [pull request submission guidelines](../blob/main/CONTRIBUTING.md#submitting-pull-requests) - [x] I have validated my changes against all supported platform versions **Related issues** Remediates high-severity Dependabot alerts for `serialize-javascript`: - [GHSA-5c6j-r48x-rmvq](GHSA-5c6j-r48x-rmvq) — RCE via `RegExp.flags` and `Date.prototype.toISOString()` - [GHSA-qj8w-gfj5-8c6v](GHSA-qj8w-gfj5-8c6v) — CPU Exhaustion DoS via crafted array-like objects **Describe the solution you've provided** Upgrades `@rollup/plugin-terser` from `^0.4.3` to `^1.0.0`. The new version depends on `serialize-javascript@^7.0.3`, which resolves to `7.0.5` (the patched version). The plugin's peer dependency on rollup (`^2.0.0||^3.0.0||^4.0.0`) is unchanged, so no other changes are needed. Build and all 93 tests pass with the upgrade. **Describe alternatives you've considered** An npm `overrides` field to force `serialize-javascript@7.0.5` under the old terser version, but a clean major bump is simpler and better maintained. **Additional context** This is a devDependency-only change — no runtime code is affected. Link to Devin session: https://app.devin.ai/sessions/f782088a3883446e8bb7b049e5631747 Requested by: @pkaeding
2 parents 1fee57f + 1570433 commit b5a4c27

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,7 @@
4949
"@eslint/js": "^9.7.0",
5050
"@rollup/plugin-json": "^6.0.0",
5151
"@rollup/plugin-node-resolve": "^15.1.0",
52-
"@rollup/plugin-terser": "^0.4.3",
52+
"@rollup/plugin-terser": "^1.0.0",
5353
"@rollup/plugin-typescript": "^12.1.1",
5454
"@testing-library/dom": "^10.4.0",
5555
"@testing-library/jest-dom": "^6.4.8",

0 commit comments

Comments
 (0)