Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update react-syntax-hightlighter to v15.5.0 for fixing XSS vulnerability issue by prismjs #17784

Closed
oti opened this issue Mar 23, 2022 · 5 comments
Closed

Update react-syntax-hightlighter to v15.5.0 for fixing XSS vulnerability issue by prismjs #17784

oti opened this issue Mar 23, 2022 · 5 comments
Labels
feature request needs triage

Comments

@oti
Copy link

oti commented Mar 23, 2022
edited
Loading

Is your feature request related to a problem? Please describe

@storybook/components which depends on react-syntax-highlighter has a XSS vulnerability issue by prismjs.
It was resolved in react-syntax-highlighter v15.5.0
https://github.com/react-syntax-highlighter/react-syntax-highlighter/releases/tag/15.5.0

Describe the solution you'd like

Update react-syntax-hightlighter to v15.5.0
@oti oti changed the title Update react-syntax-hightlighter to v15.5.0 for fixing XSS vulnerability issue by prism.js Update react-syntax-hightlighter to v15.5.0 for fixing XSS vulnerability issue by prismjs Mar 23, 2022
@curtvict
Copy link
Contributor

curtvict commented Mar 23, 2022
edited
Loading

It would be great if this could be included in the next minor.

PrismJS/prism#3341 was included in their v1.27.0 release.

More context: GHSA-3949-f494-cm99

@mattseddon mattseddon mentioned this issue Mar 24, 2022
Merged
@tkdphoenix
Copy link

It seems that prismjs is a devDependency. Is that correct? If so, you can move it to devDependencies in package.json and it wouldn't be a security vuln for everyone, but you would want to update it ASAP, of course.

This was referenced Apr 19, 2022
Closed
Merged
@curtvict
Copy link
Contributor

curtvict commented Apr 19, 2022
edited
Loading

Seemed like less work to just bump the version, so I did.

@shilman
Copy link
Member

shilman commented Jul 2, 2022

Ooh-la-la!! I just released https://github.com/storybookjs/storybook/releases/tag/v7.0.0-alpha.10 containing PR #18009 that references this issue. Upgrade today to the @future NPM tag to try it out!

npx sb upgrade --prerelease

Closing this issue. Please re-open if you think there's still more to do.

@shilman shilman closed this as completed Jul 2, 2022
@curtvict
Copy link
Contributor

curtvict commented Jul 2, 2022

Thanks @shilman!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@shilman @oti @tkdphoenix @curtvict