@docusaurus/[email protected] depends on a deep dependency [email protected] which is a vulnerable version #8277
Description
Have you read the Contributing Guidelines on issues?
- I have read the Contributing Guidelines on issues.
Prerequisites
- I'm using the latest version of Docusaurus.
- I have tried the
npm run clearoryarn clearcommand. - I have tried
rm -rf node_modules yarn.lock package-lock.jsonand re-installing packages. - I have tried creating a repro with https://new.docusaurus.io.
- I have read the console error message carefully (if applicable).
Description
@docusaurus/[email protected] depends on a deep dependency [email protected] which is a vulnerable version
Dependency Map:
@docusaurus/[email protected]
└─┬ [email protected]
└─┬ [email protected]
└─┬ [email protected]
└── [email protected]
Observations:
[email protected] and above are the bug free ones
[email protected] and above contains the above got package version
[email protected] and above contains the above package-json package version
[email protected] and above contains the above latest-version package version
But, @docusaurus/[email protected] contains only the [email protected] which has vulnerable got.
Useful Links:
https://www.npmjs.com/package/got
https://nvd.nist.gov/vuln/detail/CVE-2022-33987
Reproducible demo
No response
Steps to reproduce
Run npm ls got
You will get
@docusaurus/[email protected]
└─┬ [email protected]
└─┬ [email protected]
└─┬ [email protected]
└── [email protected]
Here, [email protected] is a vulnerable version.
Expected behavior
@docusaurus/core should use at least [email protected] which is having non vulnerable got
Actual behavior
@docusaurus/core is using [email protected] which is having vulnerable version of [email protected]
Your environment
- Docusaurus version used: 2.2.0
- Environment name and version (e.g. Chrome 106.0.5249.119, Node.js 16.17.0):
- Operating system and version (e.g. Mac OS Monterey 12.5.1):
Self-service
- I'd be willing to fix this bug myself.