Closed evansrobert closed 3 years ago
@evansrobert Upgrade + @uiw/react-markdown-preview@2.1.4
@jaywcjlove Thanks for your understanding and help. Such a fix is the additional efforts that npm community brings to you. The vulnerability patch in@uiw/react-markdown-preview@2.1.4 can be automatically propagated into many projects. Literally, it indeed benefits a huge amount of downstream users. Thanks again.
Hi, @jaywcjlove,
Issue Description
When I build my project, I notice that a vulnerability(high severity) CVE-2021-32723 detected in package prismjs<1.24.0 is directly referenced by @uiw/react-markdown-preview@2.1.3. However, @uiw/react-markdown-preview@2.1.3 is so popular that a large number of latest versions of active and popular downstream projects depend on it (1,289 downloads per week and about 31 downstream projects, e.g., strapi-plugin-wysiwsg-react-md-editor 1.0.3, @jbook/remote-client 1.1.11, azurev-jbook-local-client 1.0.5, @jbook/shared-components 1.1.11, azurev-jbook-cli 1.0.5, etc.). In this case, the vulnerability CVE-2021-32723 can be propagated into these downstream projects and expose security threats to them. As you can see, @uiw/react-markdown-preview@2.1.3 is introduced into the above projects via the following package dependency paths: (1)
azurev-jbook-cli@1.0.5 ➔ azurev-jbook-local-client@1.0.5 ➔ @uiw/react-md-editor@2.1.1 ➔ @uiw/react-markdown-preview@2.1.3 ➔ prismjs@1.23.0
......I know that it's kind of you to have removed the vulnerability since @uiw/react-markdown-preview@3.0.4. But, in fact, the above large amount of downstream projects cannot easily upgrade @uiw/react-markdown-preview from version 2.1.3 to (>=3.0.4): The projects such as azurev-jbook-local-client, which introduced @uiw/react-markdown-preview@2.1.3, are not maintained anymore. These unmaintained packages can neither upgrade @uiw/react-markdown-preview nor be easily migrated by the large amount of affected downstream projects.
Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package @uiw/react-markdown-preview@2.1.3?
Suggested Solution
Since these inactive projects set a version constaint 2.1.* for @uiw/react-markdown-preview on the above vulnerable dependency paths, if @uiw/react-markdown-preview removes the vulnerability from 2.1.3 and releases a new patched version @uiw/react-markdown-preview@2.1.4, such a vulnerability patch can be automatically propagated into the downstream projects.
In @uiw/react-markdown-preview@2.1.4, maybe you can try to perform the following upgrade(not crossing major version):
prismjs 1.23.0 ➔ 1.24.0
;Note: prismjs@1.24.0(>=1.24.0) has fixed the vulnerability CVE-2021-32723. Thank you for your attention to this issue and welcome to share other ways to resolve the issue.
Best regards, ^_^