search

tinymce / tinymce-react

Offical TinyMCE React component
MIT License
959 stars 156 forks source link

@storybook/storybook-deployer leaked into dependencies #479

Closed Senderek closed 10 months ago

Senderek commented 10 months ago

What is the current behavior? @tinymce/tinymce-react contains @storybook/storybook-deployer in the dependencies in package.json, which cascades to all configurations consuming @tinymce/tinymce-react@4.3.1

Steps to reproduce

npm install @tinymce/tinymce-react@4.3.1

What is the expected behavior? Package forces the consuming application to only download the packages that are used during runtime when using npm i

Which versions of TinyMCE, and which browser / OS are affected by this issue? Did this work in previous versions of TinyMCE or tinymce-react? Version: 4.3.1 PR: https://github.com/tinymce/tinymce-react/pull/478 In previous versions the dependency array only contained prop-types and tinymce

exalate-issue-sync[bot] commented 10 months ago

Internal Ref: INT-3252

zavan commented 10 months ago

This causes a NPM security warning:

npm audit
# npm audit report

parse-url  <=8.0.0
Severity: critical
parse-url parses http URLs incorrectly, making it vulnerable to host name spoofing - https://github.com/advisories/GHSA-pqw5-jmp5-px4v
Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url - https://github.com/advisories/GHSA-j9fq-vwqv-2fm2
fix available via `npm audit fix --force`
Will install @tinymce/tinymce-react@4.3.0, which is a breaking change
node_modules/parse-url
  git-up  <=6.0.0
  Depends on vulnerable versions of parse-url
  node_modules/git-up
    git-url-parse  4.0.0 - 12.0.0
    Depends on vulnerable versions of git-up
    node_modules/git-url-parse
      @storybook/storybook-deployer  *
      Depends on vulnerable versions of git-url-parse
      node_modules/@storybook/storybook-deployer
        @tinymce/tinymce-react  >=4.3.1-feature.20230124174746421.sha998862c
        Depends on vulnerable versions of @storybook/storybook-deployer
        node_modules/@tinymce/tinymce-react

5 vulnerabilities (4 moderate, 1 critical)

To address all issues (including breaking changes), run:
  npm audit fix --force
shanmen-tiny commented 10 months ago

Hi @Senderek and @zavan ,

Thank you for reporting, and the issue has been addressed in #483, and we have removed the storybook-deployer dependency. A new version tinymce-react version (4.3.2) has been released and is now available for download from npm.