wolfiton

wolfiton

Github security concern related to phoenix 1.4 app

Hi everyone,

Today when i opened my email I got this from github:

> Security advisory GHSA-h9rv-jmmf-4pgx (moderate severity) affects 2 repositories:
> serialize-javascript (npm) used in 2 repositories

So i was wondering if the serialize-javascript is a default for phoenix 1.4 apps and what would be the best way to avoid this problem.
also i wanted to report this problem. The verion of phoenix used for this app is phoenix 1.4.11

The repo can be found here Blog API
Thanks in advance for any ideas or suggestions regarding this

Marked As Solved

kokolegorille

kokolegorille

ok,

$ mix phx.new -v
Phoenix v1.4.10
$ mix phx.new koko
$ cd koko/assets
$ npm outdated
Package                             Current  Wanted  Latest  Location
copy-webpack-plugin                   4.6.0   4.6.0   5.0.5  global
css-loader                            2.1.1   2.1.1   3.2.1  global
mini-css-extract-plugin               0.4.5   0.4.5   0.8.0  global
optimize-css-assets-webpack-plugin    4.0.3   4.0.3   5.0.3  global
uglifyjs-webpack-plugin               1.3.0   1.3.0   2.2.0  global
webpack                               4.4.0   4.4.0  4.41.2  global
webpack-cli                           2.1.5   2.1.5  3.3.10  global

returns the list of outdated packages, then just update the versions of packages You want in packages.json and run npm install.

Also Liked

BrightEyesDavid

BrightEyesDavid

For anyone who, for whatever reason, wants to stick with the versions specified by Phoenix, but update to the latest compatible minor/patch versions, I’ve found this to be a simple, no-stress approach:

cd "path/to/my_app_web/assets"
rm package-lock.json
rm -rf node_modules
npm install --silent --no-progress

package.json remains unchanged, package-lock.json is updated and can be committed to version control, and, as of today with Phoenix 1.4.16, npm audit finds 0 vulnerabilities.

Here’s a Bash script to perform that for multiple web apps in an umbrella project, to be placed in and run from the umbrella project’s root directory.

#!/usr/bin/env bash
set -o errexit

# Updates npm packages to latest available according to package.json.

web_apps_with_assets=(
	"my_app_web"
	"my_app_members_web"
	"my_app_admin_web"
)

bold=$(tput bold)
normal=$(tput sgr0)

# Change directory to that of this script
cd "${0%/*}"

for app in "${web_apps_with_assets[@]}"; do
	(
		echo -e "\n${bold}${app}${normal}"
		cd "apps/${app}/assets"
		rm package-lock.json
		rm -rf node_modules
		npm install --silent --no-progress
	)
done
jg-made

jg-made

Hi I am having the same problem (getting npm audit warnings about serialize-javascript which is depended on by uglifyjs-webpack-plugin)

Latest version of the deprecated lib uglifyjs-webpack-plugin is 2.2.0 and its package-lock.json specifies dependancy "serialize-javascript": "^1.7.0" which is installed by npm as "version": "1.9.1" .

I have tested this with a newly generated phoenix 1.4.9 project using npm audit after updating uglifyjs-webpack-plugin to 2.2.0 and re-installing all node modules.

What is most strange about this for me is that this uglifyjs-webpack-plugin shouldn’t be appearing at all in our generated projects! See this PR Switch from uglifyjs-webpack-plugin to terser-webpack-plugin by sfusato · Pull Request #3189 · phoenixframework/phoenix · GitHub which was merged on 11 Dec 2018. Phoenix 1.4.9 was released on 4 July 2019.

I don’t know why the generated projects are using the deprecated lib still but I fixed it manually by replicating the work done in that PR on my local project. It is very easy - only 3 lines in the whole project need changing. See here: Switch from uglifyjs-webpack-plugin to terser-webpack-plugin by sfusato · Pull Request #3189 · phoenixframework/phoenix · GitHub

wolfiton

wolfiton

Thanks @kokolegorille for showing me that I only had to do an upgrade for my packages.json file.
I use yarn and also ran previously before posting this thread this command yarn upgrade. But it appears that this command will not ignore ranges.
yarn upgrade --latest will install the latest verisons without worrying about the constraints.

Full list of yarn upgrade doc

Where Next?

Popular in Discussions Top

matthias_toepp
I’d love to hear what people think about Wisp, the new Gleam web framework started by Gleam’s primary creator Louis Pilfold. Gleam, alon...
New
andre1sk
A big advantage to Elixir is all the distributed goodness but for many applications running on multiple nodes having integrated Etcd, Zoo...
New
Jayshua
I recently came across the javascript library htmx. It reminded me a lot of liveview so I thought the community here might be interested....
New
jeramyRR
This is an interesting article to read. Elixir’s performance, like usual, is excellent. However, it seems like the high CPU usage is co...
New
New
Nvim
Elixir appears to be a superior language to Python. I don’t see any advantage of Python over Elixir. Are there any?
New
RudManusachi
What configs will make sense to put to runtime.exs? – A bit of how I configure apps: I have generic configs in config/config.exs, dev...
New
scouten
I’m looking for a host for the server part of a small (personal) side project that I’m working on. It’s currently written in Node.js and ...
New
dogweather
I wrote this comment on r/haskell, and it’s not popular there. :wink: But I think I’m on to something… Haskell reminds me of Java, and e...
New
paulanthonywilson
I like Umbrella projects and pretty much always use them for personal Elixir stuff, especially Nerves things. But I don’t think this is ...
New

Other popular topics Top

sorentwo
Hello! tl;dr Announcing Oban, an Ecto based job processing library with a focus on reliability and historical observability. After spen...
985 42920 311
New
albydarned
Hello all! I am typing this post from my new MacBook Pro with the M1 chip. I’m loving it so far, and will probably use it as my daily dr...
New
Nvim
Anybody knows a comprehensive comparison of Django and Phoenix, thanks for the help. Where are they similar? Where do they differ the m...
New
shahryarjb
Hello, I have map which I want to convert it to string like this: the map: %{last_name: "tavakkoli", name: "shahryar"} the string I ne...
New
bsollish-terakeet
Credo is smart enough to check for (something like) this: assert length(the_list) == 0 with this response: Checking if an enum is empt...
New
ashish173
I am using Ecto timestamps with postgres, I can see the timestamps() use the :naive_dateime but for my use case I wanted to store the ti...
New
romenigld
I am trying to run a deploy with docker and I successfully runned with this command: docker build -t romenigld/blog-prod . but when I t...
New
WestKeys
Currently suffering from paralysis by [HTTP client] analysis. This is rather unusual in Elixirland as there tends to be consensus on the ...
New
dogweather
I wrote this comment on r/haskell, and it’s not popular there. :wink: But I think I’m on to something… Haskell reminds me of Java, and e...
New
sergio
Kind of like when jquery came out, it was super necessary. Existing drag and drop libraries have a bunch of baggage to support old browse...
New

We're in Beta

About us Mission Statement