Release a `3.x` backport of updating to `prismjs@~1.25.0`?
JamesMGreene opened this issue Β· comments
Would you be willing to release a 3.x backport updating to prismjs@~1.25.0? ππ»
(or better yet prismjs@^1.25.0 so this won't be required in case of future vulnerabilities β¨ )
We:
- depend on
react-syntax-highlighter@15.4.4(@latest)- which depends on
refractor@^3.2.0- which depends on
prismjs@~1.24.0- which has a security vulnerability GHSA-hqhp-5p83-hx96 that is resolved in
~1.25.0
- which has a security vulnerability GHSA-hqhp-5p83-hx96 that is resolved in
- which depends on
- which depends on
Normally, I would have asked the maintainers of react-syntax-highlighter to update their version of refractor instead, but since your 4.x line introduced the breaking change of using ESM, I'm not so sure that they can do so without some major effort involved. π¬
Thanks for your consideration! ππ»ββοΈ
I would recommend turning off these mostly bullshit security vulnerabilities or at least not reading much into them: https://overreacted.io/npm-audit-broken-by-design/.
Look at the repro: https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a/. Thatβs megabytes of user content. And yes, if 2mb is sent instead of 1mb, itβs exponentially a bit slower. But Iβm guessing there will many more problems you or your users will encounter with these payloads other than the syntax highlighting being a bit slow.
Using ^ does not work: #54. It would hide the warning, but it would not include the solution
You can also use refractor w/o react-syntax-highlighter:
import React from 'react'
import {refractor} from 'refractor'
import {toH} from 'hast-to-hyperscript'
toH(React.createElement, refractor.highlight('"use strict";', 'js'))backported!
Thank you so much for doing that, even if it is for a pretty unrealistic edge case! ππ»ββοΈ
It will make the robot overlords happier for now. π€ π