High Severity CVE found in cachable-request <10.2.7

[ajrice6713]

Have you read the Contributing Guidelines on issues?

• I have read the Contributing Guidelines on issues.

Prerequisites

• I'm using the latest version of Docusaurus.
• I have tried the npm run clear or yarn clear command.
• I have tried rm -rf node_modules yarn.lock package-lock.json and re-installing packages.
• I have tried creating a repro with https://new.docusaurus.io.
• I have read the console error message carefully (if applicable).

Description

A high-severity CVE has been found in cachable-request, which @docusaurus-core and @docusaurus-preset-classic depend on.

Please see the CVE notice for more information, as this vulnerability leaves a DDOS vulnerability open.

Reproducible demo

No response

Steps to reproduce

N/A

Expected behavior

cachable-request version bumped to v10.2.7

Actual behavior

N/A

Your environment

• Public source code:
• Public site URL:
• Docusaurus version used:
• Environment name and version (e.g. Chrome 89, Node.js 16.4):
• Operating system and version (e.g. Ubuntu 20.04.2 LTS):

Self-service

• I'd be willing to fix this bug myself.

[Josh-Cena]

Could you give the dependency graph? cachable-request is not found in either our own repo or a newly scaffolded user site. There's also a close-to-100% chance it won't impact anything—see #6394 —but we need more information to be able to assess the risk or know how to fix it.

[slorber]

🤷‍♂️ can't find it either

Also the link provided does not work (anymore) but this was a regexp DDOS which is unlikely to affect us anyway. We can close immediately and reopen if it is really a security issue.

[ajrice6713]

Huh - even our dependabot PR has been withdrawn for this CVE. Ive never seen that happen before

Regardless - thanks for taking a look, looks like no action is needed here.