immer vulnerability resolution for Docusaurus 1.14.6? #4093

JGibson2019 · 2021-01-22T21:29:28Z

JGibson2019
Jan 22, 2021

It's come to our attention that Docusaurus 1.14.6 is dependent on react-dev-utils@9.1.0, which has a dependency on immer 1.10.0. This immer version has vulnerabilities, and the earliest fixed version is 8.0.1. I'm curious if the Docusaurus team has a solution for this and has a timeline on a fix for those of us still using Docusaurus 1?

omry · 2021-01-27T22:08:39Z

omry
Jan 27, 2021

Same issue with Docusaurus 2.

5 replies

slorber Jan 28, 2021
Collaborator

https://snyk.io/vuln/SNYK-JS-IMMER-1019369

Afaik the latest react-dev-utils still use Immer 7 so we'll have to wait for this to be merged/released first: facebook/create-react-app#10412

For what it's worth, we are not really affected by this vulnerability as we don't import any code that use it (ie react-dev-utils/immer)

jameswjr Feb 25, 2021

Does the merge from 3 days ago make this possible now?

slorber Feb 26, 2021
Collaborator

@jameswjr v1 immer version was also bumbed, I noted I should release a new v1 version for this fix to land.

In the meantime, remember it's just a warning, you are fetching vulnerable code that is never used by Docusaurus v1 anyway.

omry Mar 3, 2021

Please be aware that even though this is not a dangerous vulnerability for Docusaurus users - it's extremely annoying.
People exposed to it, especially at Facebook - gets a stream of nags to fix the "vulnerability problem".
This appears as a stern warning at the top of the repo:

And as a nag whenever we create a pull request:

$ git push --set-upstream origin fish
Counting objects: 8, done.
Delta compression using up to 20 threads.
Compressing objects: 100% (8/8), done.
Writing objects: 100% (8/8), 964 bytes | 964.00 KiB/s, done.
Total 8 (delta 6), reused 0 (delta 0)
remote: Resolving deltas: 100% (6/6), completed with 3 local objects.
remote:
remote: Create a pull request for 'fish' on GitHub by visiting:
remote:      https://github.com/facebookresearch/hydra/pull/new/fish
remote:
remote: GitHub found 1 vulnerability on facebookresearch/hydra's default branch (1 high). To find out more, visit:
remote:      https://github.com/facebookresearch/hydra/security/dependabot/website/yarn.lock/immer/open
remote:
To github.com:facebookresearch/hydra.git

As well as a handful of internal tasks created automatically.

I think I speak for many people when I say that we await a new version without this issue quite eagerly :).

slorber Mar 4, 2021
Collaborator

@omry I think we are going to do a release on Monday, sorry for the delays

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

immer vulnerability resolution for Docusaurus 1.14.6? #4093

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 5 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

immer vulnerability resolution for Docusaurus 1.14.6? #4093

JGibson2019 Jan 22, 2021

Replies: 1 comment · 5 replies

omry Jan 27, 2021

slorber Jan 28, 2021 Collaborator

jameswjr Feb 25, 2021

slorber Feb 26, 2021 Collaborator

omry Mar 3, 2021

slorber Mar 4, 2021 Collaborator

JGibson2019
Jan 22, 2021

Replies: 1 comment 5 replies

omry
Jan 27, 2021

slorber Jan 28, 2021
Collaborator

slorber Feb 26, 2021
Collaborator

slorber Mar 4, 2021
Collaborator