react-email icon indicating copy to clipboard operation
react-email copied to clipboard

Published 20 hours ago β€’ verified publisher icon resendlabs

@react-email/code-block depends on vulnerable version of prismjs

Open FabianFrank opened this issue 9 months ago β€’ 3 comments

Describe the Bug

@react-email/code-block depends on vulnerable version of prismjs

See https://github.com/advisories/GHSA-x7hr-w5r2-h6wg for vulnerability description.

Unfortunately as of 3/4/2025 https://github.com/PrismJS/prism appears abandoned and has not had a commit in 3 years, so switching dependencies or making @react-email/code-block optional for people that don't need it might help.

Which package is affected (leave empty if unsure)

No response

Link to the code that reproduces this issue

https://github.com/resend/react-email/blob/8dfb96a71aa723e06c71588aec20725807d3bfaf/packages/code-block/package.json#L50

To Reproduce

Install @react-email/components as described in the docs and check package-lock.json or node_modules for installed dependencies.

Expected Behavior

@react-email/components should not depend on a vulnerable dependency.

What's your node version? (if relevant)

No response

FabianFrank avatar Mar 04 '25 18:03 FabianFrank

This is showing up in my package now as well. Hope to have this patched asap.

https://github.com/daveyplate/better-auth-ui/security/dependabot/7

daveycodez avatar Mar 07 '25 22:03 daveycodez

There's a new release 1.30.0 now, so this can be updated. I see there are already automated PRs #1948 and #1949.

robbertkl avatar Mar 11 '25 09:03 robbertkl

There's a new release 1.30.0 now, so this can be updated. I see there are already automated PRs #1948 and #1949.

When this PR is going to merged. #1948 is failed

golddydev avatar Mar 11 '25 16:03 golddydev

+1

albertocubeddu avatar Mar 18 '25 02:03 albertocubeddu

When will you publish these changes? They are critical to me.

Stefanyshyn avatar Mar 25 '25 09:03 Stefanyshyn

Looks like the changes to update prismjs to 1.30.0 have been merged and are included in the latest react-email release (v4.0.3), but it seems that the @react-email/code-block package hasn't been published to npm with that update yet β€” it's still showing [email protected] as a dependency there.

Just flagging in case this was missed during the release process. Tagging @gabrielmfern here since I saw you merged the changes β€” really appreciate all the work you’re doing on this project πŸ™Œ

josh-respectx avatar Apr 02 '25 00:04 josh-respectx

This has been fixed in @react-email/code-block 0.0.12/@react-email/code-block 0.0.12 and in future versions we'll have it unpinned to avoid these kind of situations.

gabrielmfern avatar Apr 16 '25 19:04 gabrielmfern