template-rollup-typescript
template-rollup-typescript copied to clipboard
phaserjs
The template contains a high severity vulnerabiltiy
I just tried to use the template, and npm complained about
~/src/phaser3-typescript-project-template$ npm audit
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Remote Code Execution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ serialize-javascript │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=3.1.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ rollup-plugin-uglify [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ rollup-plugin-uglify > serialize-javascript │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1548 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 86 scanned packages
1 vulnerability requires manual review. See the full report for details.
Given that it is only used in an uglify step in a build dependency, it may not actually be exploitable, but it is still a bad first impression.
The link again as a link: https://npmjs.com/advisories/1548 The CVE: https://nvd.nist.gov/vuln/detail/CVE-2020-7660
May be a reason to reprioritize #7
