Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade docusaurus to 2.4.0 #3936

Merged
merged 4 commits into from
May 4, 2023
Merged

Upgrade docusaurus to 2.4.0 #3936

merged 4 commits into from
May 4, 2023

Conversation

hangc0276
Copy link
Contributor

Motivation

There are many CVEs in docusaurus 2.0.0-beta.17 version.

CVE-2023-2251

Detailed paths
Introduced through: site-3@0.0.0 › @docusaurus/core@2.0.0-beta.17 › cssnano@5.1.0 › yaml@1.10.2
Fix: No remediation path available.
Introduced through: site-3@0.0.0 › @docusaurus/core@2.0.0-beta.17 › postcss-loader@6.2.1 › cosmiconfig@7.0.1 › yaml@1.10.2
Fix: Upgrade to @docusaurus/core@2.0.0
Introduced through: site-3@0.0.0 › @docusaurus/core@2.0.0-beta.17 › css-minimizer-webpack-plugin@3.4.1 › cssnano@5.1.0 › yaml@1.10.2
Fix: No remediation path available.

CVE-2022-25967

Detailed paths and remediation
Introduced through: site-3@0.0.0 › @docusaurus/core@2.0.0-beta.17 › eta@1.12.3
Fix: Upgrade to @docusaurus/core@2.3.1
Introduced through: site-3@0.0.0 › @docusaurus/preset-classic@2.0.0-beta.17 › @docusaurus/core@2.0.0-beta.17 › eta@1.12.3
Fix: Upgrade to @docusaurus/preset-classic@2.3.1
Introduced through: site-3@0.0.0 › @docusaurus/preset-classic@2.0.0-beta.17 › @docusaurus/theme-search-algolia@2.0.0-beta.17 › eta@1.12.3
Fix: Upgrade to @docusaurus/preset-classic@2.3.1

Changes

Upgrade the docusaurus to 2.4.0 to resolve those CVEs

@hangc0276 hangc0276 self-assigned this Apr 25, 2023
@hangc0276 hangc0276 modified the milestones: 4.16.0, 4.17.0 Apr 25, 2023
@nicoloboschi
Copy link
Contributor

@hangc0276 i think you need to upgrade node version

hangc0276
hangc0276 commented Apr 25, 2023
View reviewed changes
site3/website/package.json Outdated
@@ -39,5 +39,10 @@
},
"devDependencies": {
"replace-in-file": "^6.3.2"
},

"engines": {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nicoloboschi I try to upgrade the node engine, but it doesn't work.

@hangc0276 hangc0276 merged commit 93fc917 into apache:master May 4, 2023
17 checks passed
zymap pushed a commit that referenced this pull request Jun 19, 2023
@hangc0276 @zymap
Upgrade docusaurus to 2.4.0 (#3936)
3e88438 
### Motivation
There are many CVEs in docusaurus 2.0.0-beta.17 version.
#### [CVE-2023-2251](https://www.cve.org/CVERecord?id=CVE-2023-2251)
Detailed paths
Introduced through: site-3@0.0.0 › @docusaurus/core@2.0.0-beta.17 › cssnano@5.1.0 › yaml@1.10.2
Fix: No remediation path available.
Introduced through: site-3@0.0.0 › @docusaurus/core@2.0.0-beta.17 › postcss-loader@6.2.1 › cosmiconfig@7.0.1 › yaml@1.10.2
Fix: [Upgrade](https://app.snyk.io/org/streamnative-org/fix/b453ecf3-1fc1-4ac1-a9e6-7c4cc6a8b4a1?vuln=SNYK-JS-YAML-5458867) to @docusaurus/core@2.0.0
Introduced through: site-3@0.0.0 › @docusaurus/core@2.0.0-beta.17 › css-minimizer-webpack-plugin@3.4.1 › cssnano@5.1.0 › yaml@1.10.2
Fix: No remediation path available.

#### [CVE-2022-25967](https://www.cve.org/CVERecord?id=CVE-2022-25967)
Detailed paths and remediation
Introduced through: site-3@0.0.0 › @docusaurus/core@2.0.0-beta.17 › eta@1.12.3
Fix: [Upgrade](https://app.snyk.io/org/streamnative-org/fix/b453ecf3-1fc1-4ac1-a9e6-7c4cc6a8b4a1?vuln=SNYK-JS-ETA-2936803) to @docusaurus/core@2.3.1
Introduced through: site-3@0.0.0 › @docusaurus/preset-classic@2.0.0-beta.17 › @docusaurus/core@2.0.0-beta.17 › eta@1.12.3
Fix: [Upgrade](https://app.snyk.io/org/streamnative-org/fix/b453ecf3-1fc1-4ac1-a9e6-7c4cc6a8b4a1?vuln=SNYK-JS-ETA-2936803) to @docusaurus/preset-classic@2.3.1
Introduced through: site-3@0.0.0 › @docusaurus/preset-classic@2.0.0-beta.17 › @docusaurus/theme-search-algolia@2.0.0-beta.17 › eta@1.12.3
Fix: [Upgrade](https://app.snyk.io/org/streamnative-org/fix/b453ecf3-1fc1-4ac1-a9e6-7c4cc6a8b4a1?vuln=SNYK-JS-ETA-2936803) to @docusaurus/preset-classic@2.3.1

### Changes
Upgrade the docusaurus to 2.4.0 to resolve those CVEs

(cherry picked from commit 93fc917)
@zymap
Copy link
Member

zymap commented Dec 6, 2023

It's a website dependency; it doesn't need to be released.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicoloboschi nicoloboschi nicoloboschi approved these changes

@eolivelli eolivelli Awaiting requested review from eolivelli

@shoothzj shoothzj Awaiting requested review from shoothzj

@zymap zymap Awaiting requested review from zymap

Assignees

@hangc0276 hangc0276

Labels
area/security cherry-picked/branch-4.16 release/4.16.2
Projects
None yet
Milestone
4.17.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@hangc0276 @nicoloboschi @zymap