search

uiwjs / react-markdown-preview

React component preview markdown text in web browser. The minimal amount of CSS to replicate the GitHub Markdown style. Support dark-mode/night mode.
https://uiwjs.github.io/react-markdown-preview
MIT License
277 stars 49 forks source link

Is it possible to remove the high severity vulnerability introduced by prismjs ? #101

Closed evansrobert closed 3 years ago

evansrobert commented 3 years ago

Hi, @jaywcjlove,

Issue Description

When I build my project, I notice that a vulnerability(high severity) CVE-2021-32723 detected in package prismjs<1.24.0 is directly referenced by @uiw/react-markdown-preview@2.1.3. However, @uiw/react-markdown-preview@2.1.3 is so popular that a large number of latest versions of active and popular downstream projects depend on it (1,289 downloads per week and about 31 downstream projects, e.g., strapi-plugin-wysiwsg-react-md-editor 1.0.3, @jbook/remote-client 1.1.11, azurev-jbook-local-client 1.0.5, @jbook/shared-components 1.1.11, azurev-jbook-cli 1.0.5, etc.). In this case, the vulnerability CVE-2021-32723 can be propagated into these downstream projects and expose security threats to them. As you can see, @uiw/react-markdown-preview@2.1.3 is introduced into the above projects via the following package dependency paths: (1)azurev-jbook-cli@1.0.5 ➔ azurev-jbook-local-client@1.0.5 ➔ @uiw/react-md-editor@2.1.1 ➔ @uiw/react-markdown-preview@2.1.3 ➔ prismjs@1.23.0 ......

I know that it's kind of you to have removed the vulnerability since @uiw/react-markdown-preview@3.0.4. But, in fact, the above large amount of downstream projects cannot easily upgrade @uiw/react-markdown-preview from version 2.1.3 to (>=3.0.4): The projects such as azurev-jbook-local-client, which introduced @uiw/react-markdown-preview@2.1.3, are not maintained anymore. These unmaintained packages can neither upgrade @uiw/react-markdown-preview nor be easily migrated by the large amount of affected downstream projects.

Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package @uiw/react-markdown-preview@2.1.3?

Suggested Solution

Since these inactive projects set a version constaint 2.1.* for @uiw/react-markdown-preview on the above vulnerable dependency paths, if @uiw/react-markdown-preview removes the vulnerability from 2.1.3 and releases a new patched version @uiw/react-markdown-preview@2.1.4, such a vulnerability patch can be automatically propagated into the downstream projects.

In @uiw/react-markdown-preview@2.1.4, maybe you can try to perform the following upgrade(not crossing major version): prismjs 1.23.0 ➔ 1.24.0;
Note: prismjs@1.24.0(>=1.24.0) has fixed the vulnerability CVE-2021-32723. Thank you for your attention to this issue and welcome to share other ways to resolve the issue.

Best regards, ^_^

jaywcjlove commented 3 years ago

@evansrobert Upgrade + @uiw/react-markdown-preview@2.1.4

evansrobert commented 3 years ago

@jaywcjlove Thanks for your understanding and help. Such a fix is the additional efforts that npm community brings to you. The vulnerability patch in@uiw/react-markdown-preview@2.1.4 can be automatically propagated into many projects. Literally, it indeed benefits a huge amount of downstream users. Thanks again.