Josh-Cena
commented
3 months ago Have you looked at what vulnerabilities they have, exactly? Can you demonstrate an actual attack vector with these vulnerabilities?
All dependencies you listed are only used during development time. The only way to hack it is if someone can change your codebase. Please read https://overreacted.io/npm-audit-broken-by-design/
Have you read the Contributing Guidelines on issues?
Prerequisites
npm run clearoryarn clearcommand.rm -rf node_modules yarn.lock package-lock.jsonand re-installing packages.Description
The following packages are required dependencies of @docusaurus/core and have been identified as insecure. npm recommends discontinuing their use, as no secure versions are available. Additionally, a Checkmarx scan has revealed open vulnerabilities in these package versions affecting the security reports at my firm.
I kindly request the necessary actions to be taken to address and remediate this vulnerability to ensure the security and stability of the docusaurus framework. If any further info is required, please let me know.
Reproducible demo
No response
Steps to reproduce
Running the npm ls 'package-name' command in project directory results in the vulnerable npm version of the package: ─┬ @docusaurus/core@3.4.0 └── shelljs@0.8.5
└─┬ @docusaurus/core@3.4.0 └─┬ webpack-dev-server@4.15.2 └── express@4.19.2
└─┬ @docusaurus/core@3.4.0 └─┬ serve-handler@6.1.5
Expected behavior
As there is no secure version available to these packages, I request docusaurus to replace these packages with secure alternatives.
Actual behavior
Vulnerable packages/dependencies found in @docusaurus/core package:
Your environment
Self-service