Update dependency terser to v5 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
terser (source)	4.8.0 → 5.14.2

GitHub Vulnerability Alerts

CVE-2022-25858

The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

---

Release Notes

terser/terser (terser)

v5.14.2

Compare Source

• Security fix for RegExps that should not be evaluated (regexp DDOS)
• Source maps improvements (#​1211)
• Performance improvements in long property access evaluation (#​1213)

v5.14.1

Compare Source

• keep_numbers option added to TypeScript defs (#​1208)
• Fixed parsing of nested template strings (#​1204)

v5.14.0

Compare Source

• Switched to @​jridgewell/source-map for sourcemap generation (#​1190, #​1181)
• Fixed source maps with non-terminated segments (#​1106)
• Enabled typescript types to be imported from the package (#​1194)
• Extra DOM props have been added (#​1191)
• Delete the AST while generating code, as a means to save RAM

v5.13.1

Compare Source

• Removed self-assignments (varname=varname) (closes #​1081)
• Separated inlining code (for inlining things into references, or removing IIFEs)
• Allow multiple identifiers with the same name in var destructuring (eg var { a, a } = x) (#​1176)

v5.13.0

Compare Source

• All calls to eval() were removed (#​1171, #​1184)
• source-map was updated to 0.8.0-beta.0 (#​1164)
• NavigatorUAData was added to domprops to avoid property mangling (#​1166)

v5.12.1

Compare Source

• Fixed an issue with function definitions inside blocks (#​1155)
• Fixed parens of new in some situations (closes #​1159)

v5.12.0

Compare Source

• TERSER_DEBUG_DIR environment variable
• @​copyright comments are now preserved with the comments="some" option (#​1153)

v5.11.0

Compare Source

• Unicode code point escapes (\u{abcde}) are not emitted inside RegExp literals anymore (#​1147)
• acorn is now a regular dependency

v5.10.0

Compare Source

• Massive optimization to max_line_len (#​1109)
• Basic support for import assertions
• Marked ES2022 Object.hasOwn as a pure function
• Fix delete optional?.property
• New CI/CD pipeline with github actions (#​1057)
• Fix reordering of switch branches (#​1092), (#​1084)
• Fix error when creating a class property called get
• Acorn dependency is now an optional peerDependency
• Fix mangling collision with exported variables (#​1072)
• Fix an issue with return someVariable = (async () => { ... })() (#​1073)

v5.9.0

Compare Source

• Collapsing switch cases with the same bodies (even if they're not next to each other) (#​1070).
• Fix evaluation of optional chain expressions (#​1062)
• Fix mangling collision in ESM exports (#​1063)
• Fix issue with mutating function objects after a second pass (#​1047)
• Fix for inlining object spread { ...obj } (#​1071)
• Typescript typings fix (#​1069)

v5.8.0

Compare Source

• Fixed shadowing variables while moving code in some cases (#​1065)
• Stop mangling computed & quoted properties when keep_quoted is enabled.
• Fix for mangling private getter/setter and .#private access (#​1060, #​1068)
• Array.from has a new optimization when the unsafe option is set (#​737)
• Mangle/propmangle let you generate your own identifiers through the nth_identifier option (#​1061)
• More optimizations to switch statements (#​1044)

v5.7.2

Compare Source

• Fixed issues with compressing functions defined in global_defs option (#​1036)
• New recipe for using Terser in gulp was added to RECIPES.md (#​1035)
• Fixed issues with ?? and ?. (#​1045)
• Future reserved words such as package no longer require you to disable strict mode to be used as names.
• Refactored huge compressor file into multiple more focused files.
• Avoided unparenthesized in operator in some for loops (it breaks parsing because of for..in loops)
• Improved documentation (#​1021, #​1025)
• More type definitions (#​1021)

v5.7.1

Compare Source

• Avoided collapsing assignments together if it would place a chain assignment on the left hand side, which is invalid syntax (a?.b = c)
• Removed undefined from object expansions ({ ...void 0 } -> {})
• Fix crash when checking if something is nullish or undefined (#​1009)
• Fixed comparison of private class properties (#​1015)
• Minor performance improvements (#​993)
• Fixed scope of function defs in strict mode (they are block scoped)

v5.7.0

Compare Source

• Several compile-time evaluation and inlining fixes
• Allow reduce_funcs to be disabled again.
• Add spidermonkey options to parse and format (#​974)
• Accept {get = "default val"} and {set = "default val"} in destructuring arguments.
• Change package.json export map to help require.resolve (#​971)
• Improve docs
• Fix export default of an anonymous class with extends

v5.6.1

Compare Source

• Mark assignments to the .prototype of a class as pure
• Parenthesize await on the left of ** (while accepting legacy non-parenthesised input)
• Avoided outputting NUL bytes in optimized RegExps, to stop the output from breaking other tools
• Added exports to domprops (#​939)
• Fixed a crash when spreading ...this
• Fixed the computed size of arrow functions, which improves their inlining

v5.6.0

Compare Source

• Added top-level await
• Beautify option has been removed in #​895
• Private properties, getters and setters have been added in #​913 and some more commits
• Docs improvements: #​896, #​903, #​916

v5.5.1

Compare Source

• Fixed object properties with unicode surrogates on safari.

v5.5.0

Compare Source

• Fixed crash when inlining uninitialized variable into template string.
• The sourcemap for dist was removed for being too large.

v5.4.0

Compare Source

• Logical assignment
• Change let x = undefined to just let x
• Removed some optimizations for template strings, placing them behind unsafe options. Reason: adding strings is not equivalent to template strings, due to valueOf differences.
• The AST_Token class was slimmed down in order to use less memory.

v5.3.8

Compare Source

• Restore node 13 support

v5.3.7

Compare Source

Hotfix release, fixes package.json "engines" syntax

v5.3.6

Compare Source

• Fixed parentheses when outputting ?? mixed with || and &&
• Improved hygiene of the symbol generator

v5.3.5

Compare Source

• Avoid moving named functions into default exports.
• Enabled transform() for chain expressions. This allows AST transformers to reach inside chain expressions.

v5.3.4

Compare Source

• Fixed a crash when hoisting (with hoist_vars) a destructuring variable declaration

v5.3.3

Compare Source

• source-map library has been updated, bringing memory usage and CPU time improvements when reading input source maps (the SourceMapConsumer is now WASM based).
• The wrap_func_args option now also wraps arrow functions, as opposed to only function expressions.

v5.3.2

Compare Source

• Prevented spread operations from being expanded when the expanded array/object contains getters, setters, or array holes.
• Fixed very slow self-recursion in some cases of removing extraneous parentheses from + operations.

v5.3.1

Compare Source

• An issue with destructuring declarations when pure_getters is enabled has been fixed
• Fixed a crash when chain expressions need to be shallowly compared
• Made inlining functions more conservative to make sure a function that contains a reference to itself isn't moved into a place that can create multiple instances of itself.

v5.3.0

Compare Source

• Fixed a crash when compressing object spreads in some cases
• Fixed compiletime evaluation of optional chains (caused typeof a?.b to always return "object")
• domprops has been updated to contain every single possible prop

v5.2.1

Compare Source

• The parse step now doesn't accept an ecma option, so that all ES code is accepted.
• Optional dotted chains now accept keywords, just like dotted expressions (foo?.default)

v5.2.0

Compare Source

• Optional chaining syntax is now supported.
• Consecutive await expressions don't have unnecessary parens
• Taking the variable name's length (after mangling) into consideration when deciding to inline

v5.1.0

Compare Source

• import.meta is now supported
• Typescript typings have been improved

v5.0.0

Compare Source

• in operator now taken into account during property mangle.
• Fixed infinite loop in face of a reference loop in some situations.
• Kept exports and imports around even if there's something which will throw before them.
• The main exported bundle for commonjs, dist/bundle.min.js is no longer minified.

v4.8.1

Compare Source

• Security fix for RegExps that should not be evaluated (regexp DDOS)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.