Closed mgwidmann closed 3 years ago
First of all, I recommend that you read this issue to learn more about the problem when using npm audit. Docusaurus as well as CRA is a build tool, so everything described in that issue applies to it. In short, at this point there is nothing to worry about if npm audit has found some vulnerabilities.
If it is important for you that npm audit succeed, you can either move @docusaurus/preset-classic
dependency in devDependencies
field or you can try to use resolutions tools like npm-force-resolutions
.
Moving it to devDependencies worked to clear npm audit
. Does this mean you have no intention of upgrading the packages that are flagged by npm? It seems a healthy regular cadence of updating dependencies would fix this problem. Take trim
for example. Its no longer used in the latest versions of @mdx-js/mdx > remark-parse
, so if @docusaurus/theme-classic
updated its version of @mdx-js/mdx
this vulnerability would go away.
I understand if you want to make the argument that since its a build tool its not vulnerable to these issues but perhaps by keeping dependencies up to date you can meet people half way. Then its an easier argument to make since there would be no action Docusaurus can take to remedy the problem.
Yes, of course we will update dependencies, we do it periodically now. However, MDX v2 is not ready for production use yet, so we can't update it. However, we will upgrade webpack-dev-server to v4 (chokidar) soon. When new version of CRA (react-dev-utils) is available, we will also update this dependency. So, there's no reason to be worried about this issue.
Moving it to devDependencies worked to clear
npm audit
. Does this mean you have no intention of upgrading the packages that are flagged by npm? It seems a healthy regular cadence of updating dependencies would fix this problem. Taketrim
for example. Its no longer used in the latest versions of@mdx-js/mdx > remark-parse
, so if@docusaurus/theme-classic
updated its version of@mdx-js/mdx
this vulnerability would go away.
To help Docusaurus with updating, the creator of Renovate bot and I created a configuration that should fit the needs of the Docusaurus project. This is basically "ready to go", but Renovate itself needs to be installed into the organization account, and needs to be allowed to run on the facebook/docusaurus
repository.
See this issue for the full discussion/details:
If anybody from the Docusaurus team wants to try out Renovate bot for themselves follow the instructions I posted here: https://github.com/facebook/docusaurus/issues/3552#issuecomment-763623781
@HonkingGoose thanks, we will consider enabling Renovate bot this month. I'm closing this issue for now in favor of #3552, so the vulnerabilities found relate to packages we can't update yet (apart from webpack-dev-server).
🐛 Bug Report
Prerequisites
npm run clear
oryarn clear
command.rm -rf node_modules yarn.lock package-lock.json
and re-installing packages.Description
It is expected that
npx @docusaurus/init@latest init my-website classic
will not install dependencies with known CVE issues. However,npm audit
returns vulernabilities. Even usingnpm audit --fix
also does not allow for overriding them. Below are two examples of vulnerabilities. This prevents a project with a CI/CD pipeline (usingnpm audit
) from using docusaurus since it will fail the build indefinitely (see the RFC on fixing this https://github.com/npm/rfcs/pull/18).Have you read the Contributing Guidelines on issues?
Yes. This is not a security vulnerability that is not already publicly known, this is just reporting the fact that docusaurus does not allow upgrading to remove packages with known CVEs and is therefore a bug in docusaurus's dependency tree.
Steps to reproduce
mkdir docusaurus-playground
cd docusaurus-playground
npx @docusaurus/init@latest init my-website classic
npm i --package-lock-only
npm audit --prod
Expected behavior
NPM should find no vulnerabilities or
npm audit --fix
should fix them.Actual behavior
Running
npm audit --fix
does not allow for overriding any vulnerabilities. If a CI/CD pipeline is built withnpm audit
this blocks the pipeline without any way to unblock it (see discussion about this issue in the RFC https://github.com/npm/rfcs/pull/18 )Your environment
Reproducible demo
See above reproduce steps to build a local environment.