New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade react-syntax-highlighter to pick up security patch upstream #17116
Conversation
…n highlight.js Signed-off-by: Lucas Gonze <lucas@gonze.com>
…in order to bump prismjs. Fixes storybookjs#16848
yarn upgrade react-syntax-highlighter@^15.4.2 in addons/storysource/ in order to close #16848 in this branch |
React-syntax-highlighter doesn't use the non-vulnerable version for sure (because of transitive dependency resolution) until 15.4.5, upgrading to 15.4.2 isn't going to resolve it. Its written in the comments of the fix PR for the package. I was about to submit a PR doing the non-vulnerable version Fix PR reference for react-syntax-highlighter: react-syntax-highlighter/react-syntax-highlighter#430 |
Thanks @VanessaHenderson @lucasgonze -- would upgrading to |
It's ^15.4.2, not 15.4.2 exactly. As a result you see the version of prismjs with the patch.
|
@lucasgonze sure, but if the fix is only available in |
Additional force wouldn't cause harm but isn't necessary.
|
@shilman I'll happily list 15.4.5 explicitly in order to help this go through. |
Signed-off-by: Lucas Gonze <lucas@gonze.com>
@lucasgonze I merged this to release it along with a |
I have also updated the security policy accordingly. This doesn't mean we won't ever publish patch releases for earlier versions, but I want to set expectations. |
Issue: #16848
Signed-off-by: Lucas Gonze lucas@gonze.com
What I did
Cherrypicked changes from PR to upgrade package to pick up a security patch.
Ran
yarn run test
. Found no new test failures compared with the count in the previous commit.How to test