Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issues with prism and markdown-to-jsx dependencies in @uifabric/example-app-base #14453

Closed
christiango opened this issue Aug 10, 2020 · 3 comments · Fixed by #14543
Closed

Security issues with prism and markdown-to-jsx dependencies in @uifabric/example-app-base #14453

christiango opened this issue Aug 10, 2020 · 3 comments · Fixed by #14543
Assignees
@khmakoto
Labels
Fluent UI react (v8) Issues about @fluentui/react (v8) Status: Fixed Fixed in some PR

Comments

@christiango
Copy link
Member

We now have 2 component governance alerts related to security issues with the dependencies of @uifabric/example-app-base:

These issues include:

  • Prism 1.17.1 - pulled in via refractor v 2.10.1, which is a dependency of react-syntax-highlighter v10.3.5. Updating to react-syntax-highlighter 13.3.1 addresses this issue. Advisory
  • markdown-to-jsx 6.6.1. Updating to 6.11.4 or later addresses this. Advisory
@paulgildea paulgildea added Fluent UI react (v8) Issues about @fluentui/react (v8) Needs: Investigation The Shield Dev should investigate this issue and propose a fix and removed Needs: Triage 🔍 labels Aug 11, 2020
@khmakoto khmakoto mentioned this issue Aug 14, 2020
Merged
2 tasks
@khmakoto khmakoto removed the Needs: Investigation The Shield Dev should investigate this issue and propose a fix label Aug 14, 2020
@khmakoto
Copy link
Member

khmakoto commented Aug 14, 2020
edited
Loading

@christiango I have a PR out that updates the markdown-to-jsx package version. Regarding the react-syntax-highlighter package, we've chosen not to upgrad
e it since it would lead to duplicated package versions due to the fact that it is also pulled from @storybook/components. We've chosen to do this given that we don't actively use prism which is the package that is triggering the vulnerability.

@christiango
Copy link
Member Author

Thanks for the update!

@msft-github-bot msft-github-bot added Status: Fixed Fixed in some PR and removed Status: In PR labels Aug 17, 2020
@msft-github-bot
Copy link
Contributor

🎉This issue was addressed in #14543, which has now been successfully released as @uifabric/[email protected].:tada:

Handy links:

@microsoft microsoft locked as resolved and limited conversation to collaborators Sep 17, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@khmakoto khmakoto

Labels
Fluent UI react (v8) Issues about @fluentui/react (v8) Status: Fixed Fixed in some PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

@uifabric/example-app-base: Updating dependencies to resolve security issues khmakoto/fluentui
4 participants
@christiango @khmakoto @paulgildea @msft-github-bot