Hi ,@wooorm @xiaoxiangmoe , there are 3 vulnerabilities issue in your package:

Issue Description

3 vulnerabilities (high severity) CVE-2021-23341, CVE-2021-32723 and CVE-2020-15138 detected in package prismjs (>=1.1.0 <1.21.0) is directly referenced by refractor 2.10.1. We noticed that such a vulnerability has been removed since refractor 3.3.0.

However, refractor's popular previous version refractor
2.10.1 (790,634 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 3,846 downstream projects, e.g., @storybook/addon-info 5.3.21, @storybook/addon-notes 5.3.21, storybook-readme 5.0.9, @storybook/react-native-server 5.3.23, @types/storybook__addon-info 5.2.4, @2fn/toolkit@1.0.62, @a8k/plugin-sb-react@2.5.4, etc.). As such, issue CVE-2021-23341, CVE-2021-32723 and CVE-2020-15138 can be propagated into these downstream projects and expose security threats to them.

These projects cannot easily upgrade refractor from version 2.10.1 to 3.3.* . For instance, refractor 2.10.1 is introduced into the above projects via the following package dependency paths:
(1)@2fn/toolkit@1.0.62 ➔ @2fn/ui@1.0.12 ➔ react-syntax-highlighter@12.2.1 ➔ refractor@2.10.1 ➔ prismjs@1.17.1
(2)a8k/plugin-sb-react@2.5.4 ➔ storybook-react-tmp@0.0.1 ➔ @storybook/core@5.1.0-rc.1 ➔ @storybook/ui@5.1.0-rc.1 ➔ @storybook/components@5.1.0-rc.1 ➔ react-syntax-highlighter@8.1.0 ➔ refractor@2.10.1 ➔ prismjs@1.17.1
(3) @axa-ch/pod-rsv@1.79.0 ➔ storybook-addon-i18next@1.3.0 ➔ @storybook/components@5.3.21 ➔ react-syntax-highlighter@11.0.2 ➔ refractor@2.10.1 ➔ prismjs@1.17.1
(4) @bbc/digital-paper-edit-client@1.2.5 ➔ @bbc/digital-paper-edit-react-components@1.3.2 ➔ @storybook/addon-knobs@5.3.21 ➔ @storybook/components@5.3.21 ➔ react-syntax-highlighter@11.0.2 ➔ refractor@2.10.1 ➔ prismjs@1.17.1
(5)@betty-blocks/cli@23.47.0 ➔ @betty-blocks/preview@1.1.3 ➔ react-syntax-highlighter@11.0.2 ➔ refractor@2.10.1 ➔ prismjs@1.17.1
........

The projects such as @2fn/ui, storybook-react-tmp, storybook-addon-i18next, @bbc/digital-paper-edit-react-components and @betty-blocks/preview which introduced refractor@2.10.1 are not maintained anymore. These unmaintained packages can neither upgrade refractor nor be easily migrated by the large amount of affected downstream projects.

On behalf the downstream users, could you help us remove the vulnerabilities from package refractor@2.10.1?

Suggested Solution

Since these unactive projects set a version constaint ~2.10.* for refractor on the above vulnerable dependency paths, if refractor removes the vulnerabilities from 2.10.1 and releases a new patched version refractor@2.10.2,
such a vulnerability patch can be automatically propagated into the 3,846 affected downstream projects.

In refractor@2.10.2, you can kindly try to perform the following upgrade:
prismjs ~1.17.0 ➔ ~1.23.0;
Note:
prismjs@1.23.0 (>=1.23.0) has fixed the vulnerabilities (CVE-2021-23341, CVE-2021-32723 and CVE-2020-15138)

Thanks you for your contributions.

Sincerely yours,
Paimon

How can I pull a request to refractor's v2.10.* branch to fix this issue?

Thanks again.

Don‘t use v2. Use v3 or v4.

@wooorm Thanks for your feedback. But there are still 3,846 active and popular downstream projects use refractor 2.10.1 (790,634 downloads per week).
If you can kindly removes the vulnerabilities from 2.10.1 and releases a new patched version refractor@2.10.2, which can benefit all the downstream users.

We indeed should upgrade to v3 or v4, but there are upgrade lags on the package dependency paths.
It would be a long time to thoroughly migrate v2 to v3/v4 in the ecosystem.
I think you can noticed that there are 790,634 downloads (https://www.npmjs.com/package/refractor/v/2.10.1?activeTab=versions) for refractor 2.10.1 during the last 7 days.

It’s not an exploit: remarkjs/remark#782 (comment).
And it’s impossible for me to maintain release lines for every major version of hundreds of packages.

@wooorm Thanks Bro. Not need to maintain hundreds of packages of refractor. Only the v2.10.1 has the vulnerable impacts on the downstream users.