Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dependencies: Update react-syntax-highlighter to fix transitive vulnerability #17127

Merged

Conversation

VanessaHenderson
Copy link
Contributor

@VanessaHenderson VanessaHenderson commented Jan 5, 2022

Issue: #16163 #16848

Vulnerability stemming from PrismJS which is a part of react-syntax-highlighter. Similar to #17116 but with further version updates. If that PR is updated and merged first then this one can be closed.

GitHub Vulnerability link: GHSA-hqhp-5p83-hx96
Fix PR reference for react-syntax-highlighter: react-syntax-highlighter/react-syntax-highlighter#430
Fix commit in react-syntax-highlighter: react-syntax-highlighter/react-syntax-highlighter@20d9444

What I did

Upgraded the react-syntax-highlighter package in both addons/storysource && lib/components. Ran yarn test and there were no additional test failures.

How to test

  • [No Functionality should be impacted ] Is this testable with Jest or Chromatic screenshots?
  • [ No] Does this need a new example in the kitchen sink apps?
  • [ No] Does this need an update to the documentation?

If your answer is yes to any of these, please make sure to include it in your PR.

@nx-cloud
Copy link

nx-cloud bot commented Jan 5, 2022

☁️ Nx Cloud Report

CI ran the following commands for commit cf3e9ba. Click to see the status, the terminal output, and the build insights.

📂 See all runs for this branch


✅ Successfully ran 1 target

Sent with 💌 from NxCloud.

@VanessaHenderson
Copy link
Contributor Author

I'm not quite sure how dependencies are supposed to be updated without changing the yarn.lock file... I may just be misunderstanding things :)

@shilman
Copy link
Member

shilman commented Jan 5, 2022

Thanks @VanessaHenderson sorry I saw this PR after my other comment. Thanks so much for submitting this change. You'll need to update yarn.lock to get the build passing.

@lucasgonze what do you think about this change?

@VanessaHenderson
Copy link
Contributor Author

I do have the lockfile which is what is causing the CI build to fail because it says "The lockfile would have been modified by this install, which is explicitly forbidden" :(

@lucasgonze
Copy link
Contributor

what do you think about this change?

I approve wholeheartedly of the intent.

@VanessaHenderson
Copy link
Contributor Author

thank you @shilman I must have a different version of yarn

@shilman shilman merged commit 6fb5366 into storybookjs:next Jan 7, 2022
@shilman
Copy link
Member

shilman commented Jan 7, 2022

@VanessaHenderson thanks so much for the fix! 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants