serialize-javascript high vulnerability

[moridianmess]

Are there any plans to update serialize-javascript in the near future? As I'm getting a high vulnerability on NPM as of today.

  High            Remote Code Execution

  Package         serialize-javascript

  Patched in      >=3.1.0

  Dependency of   @ionic/angular-toolkit [dev]

  Path            @ionic/angular-toolkit > copy-webpack-plugin >
                  serialize-javascript

  More info       https://npmjs.com/advisories/1548

found 1 vulnerabilities (1 high) in 1570 scanned packages
  1 vulnerability requires manual review. See the full report for details.

Thanks in advance

[kalemteknoloji]

i have same problem

[valeriaraffa]

I have the same problem. Do I need the 'angular-toolkit' in an ionic 5 Angular 10, capacitor iOS and Android App?

[bkarv]

Yes same here, Ionic info below. Tried doing audit fix but it breaks the compiler (JS out memory)

Ionic:

   Ionic CLI                     : 6.10.0 (/usr/local/lib/node_modules/@ionic/cli)
   Ionic Framework               : @ionic/angular 5.3.1
   @angular-devkit/build-angular : 0.901.7
   @angular-devkit/schematics    : 9.1.7
   @angular/cli                  : 9.1.7
   @ionic/angular-toolkit        : 2.2.0

[WaseemRakab]

same issue here..

[edn9]

Same issue here.

Manual Review                                  
             Some vulnerabilities require your attention to resolve             
                                                                                
          Visit https://go.npm.me/audit-guide for additional guidance           


  High            Remote Code Execution                                         

  Package         serialize-javascript                                          

  Patched in      >=3.1.0                                                       

  Dependency of   @ionic/angular-toolkit [dev]                                  

  Path            @ionic/angular-toolkit > copy-webpack-plugin >                
                  serialize-javascript                                          

  More info       https://npmjs.com/advisories/1548                             

found 2 vulnerabilities (1 low, 1 high) in 1753 scanned packages
  1 vulnerability requires semver-major dependency updates.
  1 vulnerability requires manual review. See the full report for details.

Ionic Info

Ionic:

   Ionic CLI                     : 6.11.0 (C:\Users\dev\AppData\Roaming\npm\node_modules\@ionic\cli)
   Ionic Framework               : @ionic/angular 5.1.1
   @angular-devkit/build-angular : 0.901.12
   @angular-devkit/schematics    : 9.1.7
   @angular/cli                  : 9.1.12
   @ionic/angular-toolkit        : 2.2.0

Capacitor:

   Capacitor CLI   : 2.4.0
   @capacitor/core : 2.4.0

Utility:

   cordova-res : not installed
   native-run  : not installed

System:

   NodeJS : v12.18.3 (C:\Program Files\nodejs\node.exe)
   npm    : 6.14.6
   OS     : Windows 10

The weird thing is, the serialize say it's using the version 4.0.0, I dont know if I understand correctly:

[mhartington]

Thanks for the heads up! Reviewing the changes and have the fix in a PR

[Ionitron]

🎉 This issue has been resolved in version 2.3.1 🎉

The release is available on:

• GitHub release
• npm package (@latest dist-tag)

Your semantic-release bot 📦🚀