elements icon indicating copy to clipboard operation
elements copied to clipboard
verified publisher icon stoplightio

[Security issue] @stoplight/elements still relies on @sentry/[email protected]

Open thomas-spinergie opened this issue 1 year ago • 1 comments

Context

Hi,

I have a security/dependabot issue opened when I use the latest @stoplight/elements regarding the usage of @sentry/[email protected].

I can see this dependency has been dropped (which is great): https://github.com/stoplightio/elements/pull/2720 https://github.com/stoplightio/react-error-boundary/commit/e63e98208ae45ee35744c1eed935d620a81001dd

But still it looks it remains an issue

Current Behavior

When I do yarn add @stoplight/elements it also keep installing the @stoplight/[email protected] (additionally to the v3.0.0) which itself depends on @sentry/browser. I did a yarn why to detect where it come from:

yarn why @stoplight/react-error-boundary
yarn why v1.22.22
[1/4] Why do we have the module "@stoplight/react-error-boundary"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "@stoplight/[email protected]"
info Has been hoisted to "@stoplight/react-error-boundary"
info Reasons this module exists
   - Hoisted from "@stoplight#elements#@stoplight#elements-core#@stoplight#json-schema-viewer#@stoplight#react-error-boundary"
   - Hoisted from "@stoplight#elements#@stoplight#elements-core#@stoplight#markdown-viewer#@stoplight#react-error-boundary"

It seems that @stoplight#elements#@stoplight#elements-core#@stoplight#json-schema-viewer and @stoplight#elements#@stoplight#elements-core#@stoplight#markdown-viewer needs to force resolution to use as well @stoplight/[email protected] ?

Expected Behavior

@sentry/[email protected] and @stoplight/[email protected] shouldn't be installed anymore when using the latest of @stoplight/elements.

Possible Workaround/Solution

  • Upgrade resolutions for json-schema-viewer and markdown-viewer ?

Steps to Reproduce

  • yarn add @stoplight/elements and yarn why @stoplight/react-error-boundary

thomas-spinergie avatar Nov 18 '24 10:11 thomas-spinergie

This ticket has been labeled jira. A tracking ticket in Stoplight's Jira (PROVCON-3125) has been created.

github-actions[bot] avatar Nov 22 '24 11:11 github-actions[bot]