Replace wait-on dependency

[NickGerleman]

Have you read the Contributing Guidelines on issues?

• [X] I have read the Contributing Guidelines on issues.

Prerequisites

• [X] I'm using the latest version of Docusaurus.
• [ ] I have tried the npm run clear or yarn clear command.
• [ ] I have tried rm -rf node_modules yarn.lock package-lock.json and re-installing packages.
• [ ] I have tried creating a repro with https://new.docusaurus.io.
• [ ] I have read the console error message carefully (if applicable).

Description

@docusaurus/core depends on wait-on@^7.0.1, which in turn depends on axios@^0.27.2. This version will now trigger GitHub vulnerability warnings due to https://github.com/axios/axios/issues/6006 effecting axios before 1.6.0.

The newest version of wait-on still depends on old version of axios. Docusaurus only uses it in a single place, so it seems reasonable to remove or replace the dependency with something else. https://github.com/facebook/docusaurus/blob/b4645456292b1a74408961beb518faff6a25e09d/packages/docusaurus/src/webpack/plugins/WaitPlugin.ts#L10

Reproducible demo

No response

Steps to reproduce

yarn audit Docusaurus app

Expected behavior

Audit is clean

Actual behavior

Audit shows vulns from axios

Your environment

No response

Self-service

• [x] I'd be willing to fix this bug myself.

[Josh-Cena]

Please see https://github.com/facebook/docusaurus/issues/6394#issuecomment-1015942459 for our stance on security bugs. This one in particular has exactly zero impact because our usage of wait-on does not even use axios. So we are not going to invest time finding another package and changing our code because of a "bug" that has no impact. If you have some security policy that requires absolutely no CVE, feel free to use your package manager's resolution to force resolving axios to a newer version.

[NickGerleman]

@Josh-Cena would you accept a contribution changing the dep?

I fully agree with your assessment on the lack of a real-world security risk associated with this warning (or most other JS CVEs). Though some teams and companies do still try to keep clean regardless. I think I could avoid work for those folks if I changed this at the library level, instead of for a single repo’s resolutions consuming Docusarus.

E.g. Metas infrastructure pinged me as RN oncall about even a medium level GitHub vulnerability on React Native Website. It will ping other owners of OSS Docusaurus repoes at Meta at the same time to fix it, so N people now get separate issues to fix this, because the policy is set at a greater organizational level.

[Josh-Cena]

Sure, if you want to work on a fix, PRs are definitely welcome. I'll re-open the issue for now so you could track it. I certainly would like to see a library that's more maintained and significantly smaller (without all the observables/HTTP dependencies).