Dependencies update

[valmoz]

Have you read the Contributing Guidelines on issues?

• I have read the Contributing Guidelines on issues.

Prerequisites

• I'm using the latest version of Docusaurus.
• I have tried the npm run clear or yarn clear command.
• I have tried rm -rf node_modules yarn.lock package-lock.json and re-installing packages.
• I have tried creating a repro with https://new.docusaurus.io.
• I have read the console error message carefully (if applicable).

Description

Hi,
I created a project using Docusaurus version 2.0.0-beta.18, and I received some alerts from Dependabot, that seem to be related to the Docusaurus components.
It would be great to update the dependencies to avoid the alerts.

Inefficient Regular Expression Complexity in nth-check
GHSA-rp65-9cf3-cjxr

@docusaurus/[email protected] requires nth-check@~1.0.1 via a transitive dependency on [email protected]
@docusaurus/[email protected] requires nth-check@~1.0.1 via a transitive dependency on [email protected]
@docusaurus/[email protected] requires nth-check@~1.0.1 via a transitive dependency on [email protected]

Regular Expression Denial of Service in trim
GHSA-w5p7-h5w8-2hfq

@docusaurus/[email protected] requires [email protected] via a transitive dependency on [email protected]
@docusaurus/[email protected] requires [email protected] via a transitive dependency on [email protected]
@docusaurus/[email protected] requires [email protected] via a transitive dependency on [email protected]

Reproducible demo

No response

Steps to reproduce

Create a Docusaurus project with the following dependencies:
"dependencies": {
"@docusaurus/core": "^2.0.0-beta.18",
"@docusaurus/plugin-ideal-image": "^2.0.0-beta.18",
"@docusaurus/preset-classic": "^2.0.0-beta.18",
"@mdx-js/react": "^1.6.22",
"clsx": "^1.1.1",
"mdx-mermaid": "^1.2.1",
"mermaid": "^8.14.0",
"prism-react-renderer": "^1.2.1",
"rapidoc": "^9.2.0",
"react": "^17.0.1",
"react-dom": "^17.0.1"
},

Expected behavior

I would like to not have security alerts

Actual behavior

I have security alerts

Your environment

My current package.json:

{
"name": "fic-docusaurus",
"version": "0.0.0",
"private": true,
"scripts": {
"docusaurus": "docusaurus",
"start": "docusaurus start",
"build": "docusaurus build",
"swizzle": "docusaurus swizzle",
"deploy": "docusaurus deploy",
"clear": "docusaurus clear",
"serve": "docusaurus serve",
"write-translations": "docusaurus write-translations",
"write-heading-ids": "docusaurus write-heading-ids"
},
"dependencies": {
"@docusaurus/core": "^2.0.0-beta.18",
"@docusaurus/plugin-ideal-image": "^2.0.0-beta.18",
"@docusaurus/preset-classic": "^2.0.0-beta.18",
"@mdx-js/react": "^1.6.22",
"clsx": "^1.1.1",
"mdx-mermaid": "^1.2.1",
"mermaid": "^8.14.0",
"prism-react-renderer": "^1.2.1",
"rapidoc": "^9.2.0",
"react": "^17.0.1",
"react-dom": "^17.0.1"
},
"browserslist": {
"production": [
">0.5%",
"not dead",
"not op_mini all"
],
"development": [
"last 1 chrome version",
"last 1 firefox version",
"last 1 safari version"
]
},
"devDependencies": {
"@docusaurus/module-type-aliases": "^2.0.0-beta.18",
"@tsconfig/docusaurus": "^1.0.4",
"typescript": "^4.6.2"
}
}

Self-service

• I'd be willing to fix this bug myself.

[Josh-Cena]

Please please please search existing issues 😅 Search terms: dependencies, security

#6394

[valmoz]

I'm sorry :( I searched for the libraries names but I was unable to find them... thank you for your answer, I'll be more careful next time

[Josh-Cena]

Better search wisely, then. A few tricks:

• trim is too broad and almost always takes you nowhere, but nth-check is more search-worthy
• in:title is a very powerful query. in:title nth-check instantly takes you to one such issue

[valmoz]

Thanks, I'll take note to avoid making the same error.
Actually, I think I didn't find the issue because I forgot the is:open clause 🤦