docusaurus
docusaurus copied to clipboard
facebook
`@docusaurus/[email protected]` depends on a deep dependency `[email protected]` which is a vulnerable version
Have you read the Contributing Guidelines on issues?
- [X] I have read the Contributing Guidelines on issues.
Prerequisites
- [X] I'm using the latest version of Docusaurus.
- [X] I have tried the
npm run clearoryarn clearcommand. - [X] I have tried
rm -rf node_modules yarn.lock package-lock.jsonand re-installing packages. - [ ] I have tried creating a repro with https://new.docusaurus.io.
- [X] I have read the console error message carefully (if applicable).
Description
@docusaurus/[email protected] depends on a deep dependency [email protected] which is a vulnerable version
Dependency Map:
@docusaurus/[email protected]
└─┬ [email protected]
└─┬ [email protected]
└─┬ [email protected]
└── [email protected]
Observations:
[email protected] and above are the bug free ones
[email protected] and above contains the above got package version
[email protected] and above contains the above package-json package version
[email protected] and above contains the above latest-version package version
But, @docusaurus/[email protected] contains only the [email protected] which has vulnerable got.
Useful Links:
https://www.npmjs.com/package/got https://nvd.nist.gov/vuln/detail/CVE-2022-33987
Reproducible demo
No response
Steps to reproduce
Run npm ls got
You will get
@docusaurus/[email protected]
└─┬ [email protected]
└─┬ [email protected]
└─┬ [email protected]
└── [email protected]
Here, [email protected] is a vulnerable version.
Expected behavior
@docusaurus/core should use at least [email protected] which is having non vulnerable got
Actual behavior
@docusaurus/core is using [email protected] which is having vulnerable version of [email protected]
Your environment
- Docusaurus version used: 2.2.0
- Environment name and version (e.g. Chrome 106.0.5249.119, Node.js 16.17.0):
- Operating system and version (e.g. Mac OS Monterey 12.5.1):
Self-service
- [ ] I'd be willing to fix this bug myself.
Thanks for reporting
After taking a look, it's unlikely to cause any security trouble in Docusaurus, but we'll upgrade to v6.0 someday (ESM)
See also
- https://github.com/yeoman/update-notifier/commit/91835415ca721fd4a87a9f822ce9a6c3a377c8d1
- https://github.com/sindresorhus/got/pull/2047
We could as well do like nodemon and start using a simpler/lighter lib, see https://github.com/remy/nodemon/pull/2033
Just an update for those who are a little bothered by the vulnerability alert like me. You can overwrite in your package.json the dependencies that are vulnerable, for example:
"overrides":{
"trim": "^0.0.3",
"got": "^11.8.5"
}
https://github.com/clebsonf/ld.health/blob/1e9831fc73ce1696eaeff88adc3ed05262911b63/docs/package.json#L43-L46
With yarn, it's "resolutions" instead of "overrides". Otherwise @clebsonf's workaround works great.
