Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Installing docusaurus causes security vulnerabilities #1368

Closed
Shobhit1 opened this issue Apr 18, 2019 · 5 comments · Fixed by #1404
Closed

Installing docusaurus causes security vulnerabilities #1368

Shobhit1 opened this issue Apr 18, 2019 · 5 comments · Fixed by #1404
Labels
difficulty: starter Issues that are starter difficulty level, e.g. minimal tweaking with a clear test plan. good first issue If you are just getting started with Docusaurus, this issue should be a good place to begin. help wanted Asking for outside help and/or contributions to this particular issue or PR.

Comments

@Shobhit1
Copy link

Shobhit1 commented Apr 18, 2019
edited
Loading

🐛 Bug Report

NPM reports vulnerabilities upon installing Docusaurus.
node version: v11.10.1
npm verison: 6.9.0
OS: MacOS Mojave

Have you read the Contributing Guidelines on issues?

Yes

To Reproduce

(Write your steps here:)

  1. npm install docusaurus

Expected behavior

The package should install without any security vulnerabilites,

Actual Behavior

Moderate Denial of Service
Package js-yaml
Patched in >=3.13.0
Dependency of docusaurus [dev]
Path docusaurus > cssnano > postcss-svgo > svgo > js-yaml
More info https://npmjs.com/advisories/788

───────────────────────────────────────────

High Code Injection
Patched in >=3.13.1
Dependency of docusaurus [dev]
Path docusaurus > cssnano > postcss-svgo > svgo > js-yaml
More info https://npmjs.com/advisories/813

───────────────────────────────────────────

Moderate Regular Expression Denial of Service
Package underscore.string
Patched in >=3.3.5
Dependency of docusaurus [dev]
Path docusaurus > markdown-toc > remarkable > argparse > underscore.string
More info https://npmjs.com/advisories/745

───────────────────────────────────────────

Moderate Regular Expression Denial of Service
Package underscore.string
Patched in >=3.3.5
Dependency of docusaurus [dev]
Path docusaurus > remarkable > argparse > underscore.string
More info https://npmjs.com/advisories/745

───────────────────────────────────────────

Low Regular Expression Denial of Service
Package debug
Patched in >= 2.6.9 < 3.0.0
Dependency of docusaurus [dev]
Path docusaurus > tcp-port-used > debug
More info https://npmjs.com/advisories/534

───────────────────────────────────────────

All the above dependent packages have fixed their bugs. docusaurus need to upgrade the dependencies.
@Shobhit1 Shobhit1 changed the title npm install docusaurus causes security vulnerabilities Installing docusaurus causes security vulnerabilities Apr 18, 2019
@endiliey endiliey added dependencies difficulty: starter Issues that are starter difficulty level, e.g. minimal tweaking with a clear test plan. good first issue If you are just getting started with Docusaurus, this issue should be a good place to begin. labels Apr 18, 2019
@endiliey
Copy link
Contributor

PR Welcome 😄

@endiliey endiliey added the help wanted Asking for outside help and/or contributions to this particular issue or PR. label Apr 18, 2019
@NishealJ
Copy link
Contributor

Hi @Shobhit1 , are you working on this?

@yangshun
Copy link
Contributor

@NishealJ doesn't seem like it, you are free to take it up!

@NishealJ NishealJ mentioned this issue Apr 27, 2019
Merged
@NishealJ
Copy link
Contributor

sure @yangshun, i've raised a PR for the same Thanks !

@Shobhit1
Copy link
Author

I am not @NishealJ. Sorry for replying late. Feel free to pick it up.
Thanks

SwaroopH added a commit to blockvigil/ethvigil-docs that referenced this issue Aug 5, 2019
@SwaroopH
fix for facebook/docusaurus#1368
d8ddd16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
difficulty: starter Issues that are starter difficulty level, e.g. minimal tweaking with a clear test plan. good first issue If you are just getting started with Docusaurus, this issue should be a good place to begin. help wanted Asking for outside help and/or contributions to this particular issue or PR.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: upgrade underscore.string to 3.3.5 NishealJ/Docusaurus
4 participants
@yangshun @Shobhit1 @endiliey @NishealJ