Closed JamesMGreene closed 2 years ago
I would recommend turning off these mostly bullshit security vulnerabilities or at least not reading much into them: https://overreacted.io/npm-audit-broken-by-design/. Look at the repro: https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a/. Thatβs megabytes of user content. And yes, if 2mb is sent instead of 1mb, itβs exponentially a bit slower. But Iβm guessing there will many more problems you or your users will encounter with these payloads other than the syntax highlighting being a bit slow.
Using ^
does not work: https://github.com/wooorm/refractor/issues/54. It would hide the warning, but it would not include the solution
You can also use refractor w/o react-syntax-highlighter:
import React from 'react'
import {refractor} from 'refractor'
import {toH} from 'hast-to-hyperscript'
toH(React.createElement, refractor.highlight('"use strict";', 'js'))
backported!
Thank you so much for doing that, even if it is for a pretty unrealistic edge case! ππ»ββοΈ
It will make the robot overlords happier for now. π€ π
Would you be willing to release a
3.x
backport updating toprismjs@~1.25.0
? ππ» (or better yetprismjs@^1.25.0
so this won't be required in case of future vulnerabilities β¨ )We:
react-syntax-highlighter@15.4.4
(@latest
)refractor@^3.2.0
prismjs@~1.24.0
~1.25.0
Normally, I would have asked the maintainers of
react-syntax-highlighter
to update their version ofrefractor
instead, but since your4.x
line introduced the breaking change of using ESM, I'm not so sure that they can do so without some major effort involved. π¬Thanks for your consideration! ππ»ββοΈ