Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade react-syntax-highlighter in order to delete security issue about prismjs #16848

Closed
jing-chen1 opened this issue Nov 30, 2021 · 2 comments
Closed

Upgrade react-syntax-highlighter in order to delete security issue about prismjs #16848

jing-chen1 opened this issue Nov 30, 2021 · 2 comments
Assignees
@ndelangen
Labels
dependencies security

Comments

@jing-chen1
Copy link

Describe the bug

Could we upgrade react-syntax-highlighter to its latest version 15.4.5?
It is causing security issues in our repository with prismjs CVE-2021-3801

We need prismjs major to 1.25.0
Screen Shot 2021-11-30 at 1 53 45 PM
@lucasgonze
Copy link
Contributor

lucasgonze commented Jan 4, 2022
edited

I also need the prismjs upgrade, so I have been investigating.

These PRs are necessary but not sufficient:

In addition, 5.3 @storybook#addon-storysource needs to upgrade the version of react-syntax-highlighter. I have added that to 17116.

Also, the @storybook/design-system used in both the next branch and 5.3 branch needs an upgrade.

lucasgonze added a commit to lucasgonze/storybook that referenced this issue Jan 4, 2022
@lucasgonze
yarn upgrade react-syntax-highlighter@^15.4.2 in addons/storysource/ …
6b30034 
…in order to bump prismjs. Fixes storybookjs#16848
@lucasgonze lucasgonze mentioned this issue Jan 4, 2022
Merged
@VanessaHenderson VanessaHenderson mentioned this issue Jan 5, 2022
Merged
@shilman
Copy link
Member

shilman commented Jan 8, 2022

Crikey!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.5.0-alpha.11 containing PR #17127 that references this issue. Upgrade today to the @next NPM tag to try it out!

npx sb upgrade --prerelease

Closing this issue. Please re-open if you think there's still more to do.

@shilman shilman closed this as completed Jan 8, 2022
@snyk-bot snyk-bot mentioned this issue Feb 11, 2022
Merged
@snyk-bot snyk-bot mentioned this issue Dec 14, 2022
Open
@JuanJTorres11 JuanJTorres11 mentioned this issue Mar 21, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ndelangen ndelangen

Labels
dependencies security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@lucasgonze @shilman @ndelangen @jing-chen1