open-vsx.org
open-vsx.org copied to clipboard
EclipseFdn
Dependency Update Required
See:
https://github.com/EclipseFdn/open-vsx.org/security/dependabot/website/yarn.lock/highlight.js/open
Also, look into a way to automate turning dependbot alerts into issues.
@mbarbero @amvanbaren Any thoughts on this issue? I am not sure who should be assigned.
WFM. It might be only only to those with certain privileges because it is a security issue.
@brianking Users in this team should have access to the security issue: https://github.com/orgs/EclipseFdn/teams/open-vsx-org
@amvanbaren I just sent you an invitation to join the EclipseFdn organization. I should be able to grant you access to security issues once you accept it.
I was poking around on this a bit. I'm not a TypeScript expert, but it appears that moving from the current "@types/markdown-it": "^10.0.3", in the web UI package.json file to "@types/markdown-it": "^12.2.3", eliminates the problematic highlight.js package. It also looks like this is a development time only dependency. Any reason not to make this change?
That said, I tried this in a Gitpod workspace and the yarn build for the web UI seemed to work. I get an updated markdown-it package and no problematic highlight.js package. I can see this with yarn list. But when I do an npm list, I see this
gitpod /workspace/openvsx/webui (master) $ npm list
[email protected] /workspace/openvsx/webui
├── @material-ui/[email protected]
├── @material-ui/[email protected]
├── @types/[email protected]
├── @types/[email protected]
├── @types/[email protected]
├── @types/[email protected]
├── @types/[email protected] invalid: "^12.3.3" from the root project
I also noticed that the yarn.lock file did not get updated with the new dependencies, which I'm guessing led to this warning.
I suspect this is all due to a thin understanding of how these pieces fit together.
I've fixed this issue in PR https://github.com/EclipseFdn/open-vsx.org/pull/1436