Closed NickGerleman closed 10 months ago
Please see https://github.com/facebook/docusaurus/issues/6394#issuecomment-1015942459 for our stance on security bugs. This one in particular has exactly zero impact because our usage of wait-on
does not even use axios
. So we are not going to invest time finding another package and changing our code because of a "bug" that has no impact. If you have some security policy that requires absolutely no CVE, feel free to use your package manager's resolution to force resolving axios to a newer version.
@Josh-Cena would you accept a contribution changing the dep?
I fully agree with your assessment on the lack of a real-world security risk associated with this warning (or most other JS CVEs). Though some teams and companies do still try to keep clean regardless. I think I could avoid work for those folks if I changed this at the library level, instead of for a single repo’s resolutions consuming Docusarus.
E.g. Metas infrastructure pinged me as RN oncall about even a medium level GitHub vulnerability on React Native Website. It will ping other owners of OSS Docusaurus repoes at Meta at the same time to fix it, so N people now get separate issues to fix this, because the policy is set at a greater organizational level.
Sure, if you want to work on a fix, PRs are definitely welcome. I'll re-open the issue for now so you could track it. I certainly would like to see a library that's more maintained and significantly smaller (without all the observables/HTTP dependencies).
Have you read the Contributing Guidelines on issues?
Prerequisites
npm run clear
oryarn clear
command.rm -rf node_modules yarn.lock package-lock.json
and re-installing packages.Description
@docusaurus/core
depends onwait-on@^7.0.1
, which in turn depends onaxios@^0.27.2
. This version will now trigger GitHub vulnerability warnings due to https://github.com/axios/axios/issues/6006 effectingaxios
before1.6.0
.The newest version of
wait-on
still depends on old version of axios. Docusaurus only uses it in a single place, so it seems reasonable to remove or replace the dependency with something else. https://github.com/facebook/docusaurus/blob/b4645456292b1a74408961beb518faff6a25e09d/packages/docusaurus/src/webpack/plugins/WaitPlugin.ts#L10Reproducible demo
No response
Steps to reproduce
yarn audit
Docusaurus appExpected behavior
Audit is clean
Actual behavior
Audit shows vulns from axios
Your environment
No response
Self-service