chore: security update for terser-webpack-plugin-legacy

[antonku]

This PR contains a:

• bugfix
• new feature
• code refactor
• test update
• typo fix
• metadata update

Motivation / Use-Case

Hi. I assume that terser-webpack-plugin-legacy is unsupported taking into account that the notice regarding it is no longer in the readme. Still, is there any chance that you could publish a security update for it? Thanks.

This PR fixes: CVE-2019-16769 and CVE-2020-7660

[jsf-clabot]

All committers have signed the CLA.

[alexander-akait]

Released (1.2.4), my strong recommendation to migrate on webpack 4 or webpack 5 (recommended)

[antonku]

@evilebottnawi Thank you so much, you saved the day!

One more thing, I have noticed that in 1.2.4 there are several core-js require statements in dist/index.js and dist/minify.js, specifically:

require("core-js/modules/es7.object.get-own-property-descriptors");

require("core-js/modules/es6.object.to-string");

These imports may be a breaking change for consumers that don't have core-js@2.
Is it an intended change?

[alexander-akait]

Yes, we need it because we support old Node.js versions, but maybe we can improve it, feel free to send a PR

[antonku]

Yes, we need it because we support old Node.js versions, but maybe we can improve it, feel free to send a PR

Got it, thanks. I think it makes sense to add core-js@2 to dependencies of terser-webpack-plugin-legacy so that end users without core-js@2 wouldn't experience issues during terser-webpack-plugin-legacy update.

I have opened a PR for it, please take a look: #331