Skip to content

fix(terser): upgrade serialize-javascript #1932

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(terser): upgrade serialize-javascript #1932

wants to merge 1 commit into from

Conversation

@krausvo1
Copy link

@krausvo1 krausvo1 commented Oct 27, 2025
edited
Loading

Rollup Plugin Name: terser

This PR contains:

  • bugfix
  • feature
  • refactor
  • documentation
  • other

Are tests included?

  • yes (bugfixes and features will not be merged without tests)
  • no

Breaking Changes?

  • yes (breaking changes will not be merged unless absolutely necessary)
  • no

If yes, then include "BREAKING CHANGES:" in the first commit message body, followed by a description of what is breaking.

List any relevant issue numbers:

Description

This PR bumps serialize-javascript from 6.0.1 to 6.0.2 which includes XSS vulnerability fix. There are no breaking changes in 6.0.2.

@agentHits

This comment was marked as off-topic.

Sign in to view
@agentHits

This comment was marked as off-topic.

Sign in to view
@agentHits

This comment was marked as off-topic.

Sign in to view
@shellscape
Copy link
Collaborator

@krausvo1 if agentHits is your bot please remove it.

@krausvo1
Copy link
Author

@krausvo1 if agentHits is your bot please remove it.

It is not, never seen this thing before.

@agentHits

This comment was marked as off-topic.

Sign in to view
@shellscape
Copy link
Collaborator

@agentHits please cease commenting on this PR.

@shellscape
Copy link
Collaborator

@krausvo1 this update is causing a panic in the tests. check out the failing workflow:

FATAL ERROR: v8::FromJust Maybe value is Nothing.

@shellscape
Copy link
Collaborator

@CharlieHelps please analyze the failing Node 18 test and the dependency that was updated in this PR, and share any findings as to why that v8 error is being thrown between the two versions of the dependency that is being updated.

@krausvo1
Copy link
Author

krausvo1 commented Oct 29, 2025
edited
Loading

This issue feels a little out of my league tbh and I have no idea why my changes would cause this issue.

This is what I was able to find out so far:

  • I was able to reproduce the issue locally by running the terser package tests with Node 18.20.8
  • I was able to fix the issue by disabling worker threads when running the terser package tests (e.g. via ava configuration in terser/package.json)
    • I honestly cannot say why this works and even if it makes sense for this package, but I have noticed that most of the other packages' tests also run with worker threads disabled
    • from ava docs:

      • workerThreads: use worker threads to run tests (enabled by default). If false, tests will run in child processes

Do you think it makes sense to disable worker threads for terser's tests?

@shellscape
Copy link
Collaborator

Totally understand. I'm going to see if I can use an agent to move the tests to vitest and off of Ava (it's gotten worse over the years, while vitest has gotten better). Will keep this one open.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tada5hi tada5hi Awaiting requested review from tada5hi tada5hi is a code owner

@shellscape shellscape Awaiting requested review from shellscape shellscape is a code owner

@CharlieHelps CharlieHelps Awaiting requested review from CharlieHelps

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@krausvo1 @agentHits @shellscape