How to handle npm security vulnerability in my Phoenix project

When I push my Phoenix 1.4 app to github, I get security vulnerabilties notification on github.
So I decided to investigate.

Running npm audit in the assets directory, I get the following report:

=== npm audit security report ===                        
# Run  npm install --save-dev copy-webpack-plugin@5.1.1  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
  Moderate        Cross-Site Scripting                                          
  Package         serialize-javascript                                          
  Dependency of   copy-webpack-plugin [dev]                                     
  Path            copy-webpack-plugin > serialize-javascript                    
  More info

So is it safe to do npm install --save-dev copy-webpack-plugin@5.1.1 because it says it is a potentially breaking change ?

Try it in a separate area and see what happens. If webpack breaks, it should be very obvious - either from the webpack logs or the fact that your website doesn’t work as expected. Be sure to test the various assets webpack may be creating / copying (CSS, js etc).

1 Like

What do you mean by “separate area” ?

Secondly, if it indeed breaks, how to handle it then ?

Checkout/clone a separate copy of your repository into a different directory.

If it breaks, report back with the errors…

1 Like

See this thread also the last post in it Github security concern related to phoenix 1.4 app