-
-
Notifications
You must be signed in to change notification settings - Fork 9.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dependencies: Update react-syntax-highlighter to fix transitive vulnerability #17127
dependencies: Update react-syntax-highlighter to fix transitive vulnerability #17127
Conversation
☁️ Nx Cloud ReportCI ran the following commands for commit cf3e9ba. Click to see the status, the terminal output, and the build insights. 📂 See all runs for this branch ✅ Successfully ran 1 targetSent with 💌 from NxCloud. |
I'm not quite sure how dependencies are supposed to be updated without changing the yarn.lock file... I may just be misunderstanding things :) |
Thanks @VanessaHenderson sorry I saw this PR after my other comment. Thanks so much for submitting this change. You'll need to update @lucasgonze what do you think about this change? |
I do have the lockfile which is what is causing the CI build to fail because it says "The lockfile would have been modified by this install, which is explicitly forbidden" :( |
I approve wholeheartedly of the intent. |
thank you @shilman I must have a different version of yarn |
@VanessaHenderson thanks so much for the fix! 🙏 |
Issue: #16163 #16848
Vulnerability stemming from PrismJS which is a part of react-syntax-highlighter. Similar to #17116 but with further version updates. If that PR is updated and merged first then this one can be closed.
GitHub Vulnerability link: GHSA-hqhp-5p83-hx96
Fix PR reference for react-syntax-highlighter: react-syntax-highlighter/react-syntax-highlighter#430
Fix commit in react-syntax-highlighter: react-syntax-highlighter/react-syntax-highlighter@20d9444
What I did
Upgraded the react-syntax-highlighter package in both addons/storysource && lib/components. Ran
yarn test
and there were no additional test failures.How to test
If your answer is yes to any of these, please make sure to include it in your PR.