Version 9 EOL & End of Support (even for security issues)

[joshgoebel]

If you're trying to upgrade your (or someone else's dependencies) you may want to see A note about upgrading dependencies from version 9 version 10 big picture

---

A recent vulnerability has brought the topic of version 9 support back into the forefront. The core team doesn't really have the time or focus to maintain two very different forks of the project. Especially since the version 9 only truly exits to service a tiny audience (IE11, <1% browser share by caniuse.com). We were kind of OK letting it live a bit longer as long as it didn't require any time/effort from us, but that's no longer proving to be the case.

• Many, many issues and bugs have been fixed since the v10 release.
• Many, many new features have been added.
• Many grammars highlight WAY better than they did previously.
• The v10 parsing engine is so much more flexible and reliable.
• There are quite likely numerous vulnerabilities we've fixed along the way without even realizing it.

It's so obvious that v10 and modern browsers (released in the last ~4-5 years) is where we need to be focusing our time, not supporting very old browsers. So if you're still using version 9:

If you aren't supporting IE11 users (or others with very obscure browsers)

You need to upgrade to v10. No question. For 90% of simple cases it's a trivial upgrade. For complex integrations it may be a bit more effort (like most things). https://github.com/highlightjs/highlight.js/blob/master/VERSION_10_UPGRADE.md

If you're supporting IE11 users (or others with very obscure browsers)

Someone truly requiring IE11 support for "enterprisey" projects should perhaps look at Prism.js, which is a great project that still supports IE11. Or perhaps consider maintaining their own private fork of version 10 that supports IE11. This should still technically be possible now (AFAIK) but may prove more difficult as time goes on.

So here is the current plan:

• [x] One last v9 release (security fix).
• [x] That release's release notes will mention the EOL and link to this issue. (and perhaps spew some other output, need to look at what is possible with npm).
• [x] That release itself (and the current v9 release) will both be marked deprecated with a message to upgrade to v10.
• [x] We may mark other prior releases deprecated as well. I'm really curious why more npm projects don't do this. Does anyone know?
• [x] SECURITY.md will be updated accordingly.
• [x] v9 support will then be official EOLed.

So v9 users would want to upgrade to the latest v9 release and then either start working on upgrading to v10 or come up with other plans.

[ManuGM91]

@joshgoebel , I am happy to let you know that my issue is now resolved and I didn't have to do anything except uninstall the newman htmlextra reporter and install it again. I think @Romakita was correct with maintainers allowing all version after 9.12.0. Now my builds are back to green. I would really like to appreciate all your time and efforts and also like thank you for acting on it swiftly.

[ManuGM91]

@MGM19 Sorry about breaking your build. :) Lesson learned about warn. And I've created an issue to track it in version 10 and see what changes may need to be made:

2880

Please don't be sorry. We all have met these unforeseen situations and in my case to be honest, I think you haven't done anything wrong as it's npm which considers warning to hard error. In one way it's good that, we all have our lessons learned and personally I am happy that I got to interact with you guys.

Thanks again for fixing it and doing it swiftly. I have tried 3 different builds and all have gone green, so I would assume that it is resolved. Any way I will confirm by EOD about any unseen issues if anything happens.

[ManuGM91]

Just for information, the highlighted part in screenshot of package.json for highlight.js is what changed after I re-installed the reporter.

[ZQun]

@joshgoebel Hello, highlight.js@9.18.5 did not install successfully, is it because I used the wrong command?

[joshgoebel]

That's weird. Try it again?

[ZQun]

That's weird. Try it again?

It feels like version 9.18.5 is in a different tab, "previous":"9.18.4","unsupported":"9.18.5"

After I executed npm install, I did not install 9.18.5 into the dependencies package-lock.json

[ZQun]

@joshgoebel Hello, After I execute npm install, the default installation is still 9.18.4

[ManuGM91]

@ZQun Is it possible for you to uninstall(may be globally) your package for which highlight.js is a dependency? And then install that again? As mentioned earlier, for me uninstalling my reporter and installing it again fixed the issue and it automatically picked 9.18.5.

[joshgoebel]

Yes they were tagged differently but if you specify the version directly that should work regardless of the tag. You could also try

npm install highlight.js@unsupported
npm uninstall highlight.js@previous

Or try @ManuGM91 suggestion.

[ZQun]

Thanks for answer, There is no problem using npm source to install. I can’t install using npm source in China. I have found a way and execute npm install git+https://github.com/highlightjs/highlight.js.git#9.18.5 --save can be installed successfully!

update:

It is problematic to install dependencies through github. The contents of ./lib/* are missing in the directory. Now version 9.18.5 can be installed through the npm source in China. It is probably because the latest npm mirror has not been synchronized before, and the problem has been solved.

[joshgoebel]

@ZQun Our primary source repository is NOT a build product - it's only the raw source.

There is of course https://github.com/highlightjs/cdn-release, but the build is in build... I'm not sure if there is a way to tell npm to install from a repo using a given path. N/m CDN isn't going to help you because you're wanting the NPM library release I assume... yeah I dunno what to tell you if you can't actually access the NPM repository.

You could always build from source and then do the install locally.

[ZQun]

@ZQun Our primary source repository is NOT a build product - it's only the raw source.

There is of course https://github.com/highlightjs/cdn-release, but the build is in build... I'm not sure if there is a way to tell npm to install from a repo using a given path. N/m CDN isn't going to help you because you're wanting the NPM library release I assume... yeah I dunno what to tell you if you can't actually access the NPM repository.

You could always build from source and then do the install locally.

@joshgoebel Thank you for your answer. The problem has been solved, mainly using typeorm. Today I found that the following dependencies have been upgraded to version 10.x!

[joshgoebel]

Relevant: v9 is now known to have potentially serious security issues for anyone using it to highlight user provided content:

https://github.com/highlightjs/highlight.js/security/advisories/GHSA-7wwv-vh3v-89cq

[sowousmane]

Hell sorryy to bother you I saw a lot of thing above but I can't understand thing so can anyone telle me how to solve this please ?

npm run start

> @ start C:\Users\gigabyte\Documents\developer_site\website
> docusaurus-start

LiveReload server started on port 35729
Docusaurus server started on port 3000
Version 9 of Highlight.js has reached EOL and is no longer supported.
Please upgrade or ask whatever dependency you are using to upgrade.
https://github.com/highlightjs/highlight.js/issues/2877

I am really new to this and the first person who made the project is no longer here

[joshgoebel]

@sowousmane

You could try the usual suspects:

• npm install highlightjs@11
• npm upgrade highlightjs

But if we're a transitive dependency (a dependency of a dependency) then you may first have to update/upgrade OTHER packages... all depends. And of course read all the documentation on upgrading as a lot has changed from v9 to v11.

[sowousmane]

@joshgoebel thank you so much