Closed Senderek closed 10 months ago
Internal Ref: INT-3252
This causes a NPM security warning:
npm audit
# npm audit report
parse-url <=8.0.0
Severity: critical
parse-url parses http URLs incorrectly, making it vulnerable to host name spoofing - https://github.com/advisories/GHSA-pqw5-jmp5-px4v
Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url - https://github.com/advisories/GHSA-j9fq-vwqv-2fm2
fix available via `npm audit fix --force`
Will install @tinymce/tinymce-react@4.3.0, which is a breaking change
node_modules/parse-url
git-up <=6.0.0
Depends on vulnerable versions of parse-url
node_modules/git-up
git-url-parse 4.0.0 - 12.0.0
Depends on vulnerable versions of git-up
node_modules/git-url-parse
@storybook/storybook-deployer *
Depends on vulnerable versions of git-url-parse
node_modules/@storybook/storybook-deployer
@tinymce/tinymce-react >=4.3.1-feature.20230124174746421.sha998862c
Depends on vulnerable versions of @storybook/storybook-deployer
node_modules/@tinymce/tinymce-react
5 vulnerabilities (4 moderate, 1 critical)
To address all issues (including breaking changes), run:
npm audit fix --force
Hi @Senderek and @zavan ,
Thank you for reporting, and the issue has been addressed in #483, and we have removed the storybook-deployer
dependency. A new version tinymce-react
version (4.3.2) has been released and is now available for download from npm.
What is the current behavior?
@tinymce/tinymce-react
contains@storybook/storybook-deployer
in the dependencies in package.json, which cascades to all configurations consuming@tinymce/tinymce-react@4.3.1
Steps to reproduce
What is the expected behavior? Package forces the consuming application to only download the packages that are used during runtime when using
npm i
Which versions of TinyMCE, and which browser / OS are affected by this issue? Did this work in previous versions of TinyMCE or
tinymce-react
? Version: 4.3.1 PR: https://github.com/tinymce/tinymce-react/pull/478 In previous versions the dependency array only containedprop-types
andtinymce