highlight.js 9 EOL

[aimador]

Description:

While building the latest RC release on CentOS 7 I get the following information:

----------------------------------

Verion 9 of Highlight.js has reached EOL. It will no longer be supported or receive security updates in the future. Please upgrade to version 10 or encourage your indirect dependencies to do so.

For more info:

https://github.com/highlightjs/highlight.js/issues/2877 https://github.com/highlightjs/highlight.js/blob/master/VERSION_10_UPGRADE.md

----------------------------------

The build works, but highlight.js should be updated IMHO.

Steps to reproduce:

1. Build v. 4.2.1
2. Scroll back up and check the build logs.

Expected behavior:

No EOL warning.

Actual behavior:

see above

Server Setup Information:

• Version of Rocket.Chat Server: 4.2.1
• Operating System: CentOS 7
• Deployment Method: tar / local install
• Number of Running Instances: 1
• DB Replicaset Oplog: ON, but only 1 instance
• NodeJS Version: 12.22.1
• MongoDB Version: 4.2

Client Setup Information

• Desktop App or Browser Version: RC 3.5.7
• Operating System: Win10

[tete2soja]

Hello,

The warning is still here for the last minor release 4.3.2.

[Vringe]

Still present in 4.4.2

[lyz-code]

And in 4.5.2

[Vringe]

Version 9.18.5 (which RC is using) and also Version 10 are both EOL and do have known vulnerabilities. Upgrade to Version 11 is necessary.

See https://github.com/highlightjs/highlight.js/blob/main/SECURITY.md

[danel1]

@debdutdeb @dudanogueira @tassoevan @sampaiodiego Could someone please take a look at this? This is security relevant and completely ignored....

[CAberry]

Hello,

Rocket version 4.8.2

In admin settings -> message , link to version 9.18.5 is still present so I guess version 11 is not implemented yet

highlight is pretty useful, you dev people know it better then anyone ;-)

Regards,

[wreiske]

This is still the case in 6.0.0.

[wreiske]

This is still the case in 6.2.2.

[Vringe]

Still used in 6.5.3