Skip to content

updated packages to remove security issue: Cross-site Scripting (XSS) in serialize-javascript#515

Open
nightness wants to merge 5 commits into
shadowwalker:masterfrom
Brainwires:master
Open

updated packages to remove security issue: Cross-site Scripting (XSS) in serialize-javascript#515
nightness wants to merge 5 commits into
shadowwalker:masterfrom
Brainwires:master

Conversation

@nightness
Copy link
Copy Markdown

@nightness nightness commented Feb 27, 2025

Fixed without rewriting the source files...

serialize-javascript  <6.0.2
Severity: moderate
Cross-site Scripting (XSS) in serialize-javascript - https://github.com/advisories/GHSA-76p7-773f-r4q5
fix available via `npm audit fix --force`
Will install next-pwa@2.0.2, which is a breaking change
node_modules/rollup-plugin-terser/node_modules/serialize-javascript
  rollup-plugin-terser  3.0.0 || >=4.0.4
  Depends on vulnerable versions of serialize-javascript
  node_modules/rollup-plugin-terser
    workbox-build  5.0.0-alpha.0 - 7.0.0
    Depends on vulnerable versions of rollup-plugin-terser
    node_modules/next-pwa/node_modules/workbox-build
      workbox-webpack-plugin  5.0.0-alpha.0 - 7.0.0
      Depends on vulnerable versions of workbox-build
      node_modules/next-pwa/node_modules/workbox-webpack-plugin
        next-pwa  >=2.1.0
        Depends on vulnerable versions of workbox-webpack-plugin
        node_modules/next-pwa

5 moderate severity vulnerabilities

nightness and others added 5 commits February 27, 2025 03:35
@nightness
updated packages to remove security issue: Cross-site Scripting (XSS)…
4352aff 
… in serialize-javascript
@nightness
fixed issue - not upgrading, not needed either
a71f8a1
@claude
v7.0.0: production-readiness overhaul for the Brainwires fork
128b96f 
Deps / security: npm audit 24 → 0 (6 low, 6 moderate, 9 high, 3 critical
cleared); workbox → 7.4, serialize-javascript pinned via overrides; dropped
vestigial webpack.config.js and its devDeps (bundle was never referenced —
main is index.js, which is plain CommonJS).

Correctness:
- fallback.js: switch fall-through no longer leaks image/audio/video/font/data
  fallbacks when only one type is configured.
- build-custom-worker.js / build-fallback-worker.js: replaced process.exit(-1)
  with thrown errors so worker build failures no longer nuke the consumer's
  dev server / CI run.
- index.js: removed dead experimental.modern branch (Next 12+).

Next 14–16 support:
- Turbopack guard: detect process.env.TURBOPACK and return nextConfig
  unmodified with a one-line warning. Avoids Next 16's "webpack config
  without turbopack config" hard failure under the new default bundler.
- App Router: inject register.js into the `main-app` client entry alongside
  `main.js` so App Router apps actually register the service worker.

Breaking changes (hence v7.0.0):
- peerDependencies.next: ">=9.0.0" → ">=14.0.0".
- Removed deprecated `subdomainPrefix` option.
- `reloadOnOnline` default flipped true → false (no more mid-interaction
  reloads when connectivity returns).
- New `trustStartUrlRedirects` option (default false). Previously next-pwa
  unconditionally rewrote opaque/redirected start-URL responses to 200 OK
  and cached them under the canonical key. Now opt-in. Consumers using
  `dynamicStartUrlRedirect` or start-URL redirecting middleware must set
  `trustStartUrlRedirects: true`.

Metadata: repository → Brainwires/next-pwa, README migration section, new
CHANGELOG 7.0.0 entry, workbox doc references updated v6 → v7.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@claude
examples: full refresh to Next 15 / React 19 + fix trustStartUrlRedir…
5e37b4d 
…ects closure leak

Library fix (index.js):
- `trustStartUrlRedirects` was referenced inside the start-url `cacheWillUpdate`
  callback, which workbox-webpack-plugin serializes to a string and injects
  into sw.js. The variable leaked into the service worker as a free reference,
  throwing ReferenceError at runtime. Decide at build time whether to include
  the rewrite plugin at all — never capture build-time variables in callbacks
  workbox will serialize. Caught by smoke-testing the examples.

Examples pass:
- Deleted `examples/next-9/` — contradicts the v7.0.0 peer dep of Next >=14.
- New `examples/app-router/` — minimal App Router showcase, demonstrates the
  `main-app` client entry injection landed in v7.0.0.
- `cookie/next.config.js` — added required `trustStartUrlRedirects: true`
  (breaking change from v7.0.0). Verified the resulting sw.js contains the
  inlined `cacheWillUpdate` handler.
- `offline-fallback/` + `offline-fallback-v2/next.config.js` — migrated
  deprecated `images.domains` → `images.remotePatterns` (Next 12+ API).
- `minimal/` — dropped the fastify custom server; it existed only to hand-serve
  sw.js from .next/, which `dest: 'public'` makes unnecessary. Now genuinely
  minimal.
- `next-i18next/` — dropped the express custom server; rewrote for the
  serverSideTranslations / appWithTranslation Pages Router API; moved locales
  from `public/static/locales/` → `public/locales/` per next-i18next
  convention. Pinned `next-i18next@^15.4.3` because v16 is App-Router-only and
  removed the Pages Router helpers this example uses.
- `cache-on-front-end-nav/pages/_app.js` — renamed `_App` to `App`; the
  underscore-prefixed name made ESLint's react-hooks/rules-of-hooks reject the
  hook calls in newer Next.js (blocking the build).
- `custom-ts-worker/next-env.d.ts` — regenerated by Next 15 during build.

All remaining 11 examples now build clean on Next 15.5.15 against next-pwa
7.0.0 (smoke-tested via `npm pack` tarball + `next build` in each directory):
service worker + workbox chunks emitted for the 10 Pages Router examples, and
the App Router example's `main-app` entry correctly includes register.js.

Dep floor across all examples:
- next ^15.5.15 (user chose 15.x — webpack default, no --webpack flag needed)
- react / react-dom ^19.2.5
- next-pwa ^7.0.0
- eslint-config-next ^15.5.15
- eslint ^8.57.1 (pinned 8.x; ESLint 9 drops eslintrc support, and migrating
  12 .eslintrc.json files to flat config is out of scope here)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@nightness @claude
chore: publish 7.0.0 under @brainwires/next-pwa scope
5fcb333 
- package.json: name → @brainwires/next-pwa
- README + 12 examples: update require() and dependency refs to scoped name
- .npmignore: drop .claude/, dist/, .gitpod.yml; stop excluding CHANGELOG.md
- Remove vestigial .babelrc (unused — build workers configure babel inline,
  and main:index.js ships as CommonJS with no transpile step)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nightness