-
-
Notifications
You must be signed in to change notification settings - Fork 8.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update node_module vulnerable transitive dependencies "nth-check" and "trim". #6394
Comments
Hi! If we could upgrade we would already, we regularly regenerate our lockfile to make our dependencies are the latest version possible (#6341). However, these dependencies are transitively depended on, so the upgrade doesn't depend on us. Security auditing is broken in the front end, because much of the time, these CVEs don't actually impact anyone. I recommend you to read this Dan Abramov blog post: https://overreacted.io/npm-audit-broken-by-design/ And to back up this assertion, here's why we have these two dependencies:
In short, upgrading involves unnecessary trouble (big architectural changes across major versions) while it doesn't actually fix any security issues. I'm going to close this as wontfix. Thanks for taking interest in this. |
I see, thanks for the explanation! |
This has an API change for algolia where the App ID needs to be specified. See https://docusaurus.io/blog/2021/11/21/algolia-docsearch-migration and in particular note that they say these parameters are safe to put into git. How did I know what parameters to enter? They're plain text parameters as part of the request, I just grabbed them. This also has an API change that causes the inlinetoc comoponent to be a flat array instead of a tree - done in facebook/docusaurus#729 - so this replaces the hard-coded index with a function that looks for the start and end of the relevant section. This gets rid of all security vulnerability warnings except for two, which aren't relevant - see facebook/docusaurus#6394.
This has an API change for algolia where the App ID needs to be specified. See https://docusaurus.io/blog/2021/11/21/algolia-docsearch-migration and in particular note that they say these parameters are safe to put into git. How did I know what parameters to enter? They're plain text parameters as part of the request, I just grabbed them. This also has an API change that causes the inlinetoc comoponent to be a flat array instead of a tree - done in facebook/docusaurus#729 - so this replaces the hard-coded index with a function that looks for the start and end of the relevant section. This gets rid of all security vulnerability warnings except for two, which aren't relevant - see facebook/docusaurus#6394.
This has an API change for algolia where the App ID needs to be specified. See https://docusaurus.io/blog/2021/11/21/algolia-docsearch-migration and in particular note that they say these parameters are safe to put into git. How did I know what parameters to enter? They're plain text parameters as part of the request, I just grabbed them. This also has an API change that causes the TOCInline component to be a flat array instead of a tree - done in facebook/docusaurus#729 - so this replaces the hard-coded index with a function that looks for the start and end of the relevant section. This gets rid of all security vulnerability warnings except for two, which aren't relevant - see facebook/docusaurus#6394.
This has an API change for algolia where the App ID needs to be specified. See https://docusaurus.io/blog/2021/11/21/algolia-docsearch-migration and in particular note that they say these parameters are safe to put into git. How did I know what parameters to enter? They're plain text parameters as part of the request, I just grabbed them. This also has an API change that causes the TOCInline component to be a flat array instead of a tree - done in facebook/docusaurus#729 - so this replaces the hard-coded index with a function that looks for the start and end of the relevant section. This gets rid of all security vulnerability warnings except for two, which aren't relevant - see facebook/docusaurus#6394.
This has an API change for algolia where the App ID needs to be specified. See https://docusaurus.io/blog/2021/11/21/algolia-docsearch-migration and in particular note that they say these parameters are safe to put into git. How did I know what parameters to enter? They're plain text parameters as part of the request, I just grabbed them. This also has an API change that causes the TOCInline component to be a flat array instead of a tree - done in facebook/docusaurus#729 - so this replaces the hard-coded index with a function that looks for the start and end of the relevant section. This gets rid of all security vulnerability warnings except for two, which aren't relevant - see facebook/docusaurus#6394.
This has an API change for algolia where the App ID needs to be specified. See https://docusaurus.io/blog/2021/11/21/algolia-docsearch-migration and in particular note that they say these parameters are safe to put into git. How did I know what parameters to enter? They're plain text parameters as part of the request, I just grabbed them. This also has an API change that causes the TOCInline component to be a flat array instead of a tree - done in facebook/docusaurus#729 - so this replaces the hard-coded index with a function that looks for the start and end of the relevant section. This gets rid of all security vulnerability warnings except for two, which aren't relevant - see facebook/docusaurus#6394.
Yarn audit and GitHub dependabot warn about got, nth-check, and trim. This isn't actually really an issue according to facebook/docusaurus#6394, but we will force usage of newer version anyway to quiet the warnings.
Have you read the Contributing Guidelines on issues?
Prerequisites
npm run clear
oryarn clear
command.rm -rf node_modules yarn.lock package-lock.json
and re-installing packages.Description
The current version of docusaurus (2.0.0-beta.14) relies on some transitive dependencies that are vulnerable. The GitHub already reported the CVEs related to those dependencies but the docusaurus still using them, so would be good if they could get upgraded.
Steps to reproduce
Verify the dependencies described in the description.
Expected behavior
Use the updated versions of the described dependencies.
Actual behavior
The versions of the described dependencies are vulnerable.
Your environment
Reproducible demo
No response
Self-service
The text was updated successfully, but these errors were encountered: