Security issue with serialize-javascript dependency

[jrmhaig]

Bug report

In our project we have started seeing a medium level security issue with serialize-javascript version 6.0.1 that is fixed in the latest version 6.0.2. This package is a dependency of terser-webpack-plugin and it is pinned to the old version.

For reference;

• Issue explaining the vulnerability; Security vulnerability for non-HTTP URLs yahoo/serialize-javascript#172
• Fix: Serialize URL string contents to prevent XSS yahoo/serialize-javascript#173

Actual Behavior

serialize-javascript version 6.0.1 is installed as a dependency.

Expected Behavior

serialize-javascript version 6.0.2 or later is installed as a dependency.

How Do We Reproduce?

From yarn.lock;

serialize-javascript@^6.0.1:
  version "6.0.1"
  resolved "https://registry.yarnpkg.com/serialize-javascript/-/serialize-javascript-6.0.1.tgz#b206efb27c3da0b0ab6b52f48d170b7996458e5c"
  integrity sha512-owoXEFjWRllis8/M1Q+Cw5k8ZH40e3zhp/ovX+Xr/vi1qj6QesbyXXViFbpNvWvPNAD62SutwEXavefrLJWj7w==
  dependencies:
    randombytes "^2.1.0"

...

terser-webpack-plugin@^5.3.10, terser-webpack-plugin@^5.3.7:
  version "5.3.10"
  resolved "https://registry.yarnpkg.com/terser-webpack-plugin/-/terser-webpack-plugin-5.3.10.tgz#904f4c9193c6fd2a03f693a2150c62a92f40d199"
  integrity sha512-BKFPWlPDndPs+NGGCr1U59t0XScL5317Y0UReNrHaw9/FwhPENlq6bfgs+4yPfyP51vqC1bQ4rp1EfXW5ZSH9w==
  dependencies:
    "@jridgewell/trace-mapping" "^0.3.20"
    jest-worker "^27.4.5"
    schema-utils "^3.1.1"
    serialize-javascript "^6.0.1"
    terser "^5.26.0"

Please paste the results of npx webpack-cli info here, and mention other relevant information

  System:
    OS: macOS 13.2
    CPU: (10) arm64 Apple M1 Pro
    Memory: 336.89 MB / 16.00 GB
  Binaries:
    Node: 21.5.0 - /opt/homebrew/bin/node
    Yarn: 1.22.19 - /opt/homebrew/bin/yarn
    npm: 10.2.4 - /opt/homebrew/bin/npm
  Browsers:
    Chrome: 120.0.6099.234
    Safari: 16.3
  Packages:
    babel-loader: ^9.1.3 => 9.1.3
    css-loader: ^6.9.1 => 6.9.1
    expose-loader: ^5.0.0 => 5.0.0
    file-loader: ^6.2.0 => 6.2.0
    sass-loader: ^14.0.0 => 14.0.0
    style-loader: ^3.3.4 => 3.3.4
    terser-webpack-plugin: ^5.3.10 => 5.3.10
    url-loader: ^4.1.1 => 4.1.1
    webpack: ^5.89.0 => 5.89.0
    webpack-cli: ^5.1.4 => 5.1.4
    webpack-remove-empty-scripts: ^1.0.4 => 1.0.4

[alexander-akait]

Please update your deps locally, we use ^ https://github.com/webpack-contrib/terser-webpack-plugin/blob/master/package.json#L65 to allow developers do it without unnecessary releases