Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerability reported in highlight.js #28781

Closed
wkilday opened this issue Dec 28, 2020 · 2 comments · Fixed by #28545
Closed

Security vulnerability reported in highlight.js #28781

wkilday opened this issue Dec 28, 2020 · 2 comments · Fixed by #28545
Labels
type: bug An issue or pull request relating to a bug in Gatsby

Comments

@wkilday
Copy link

wkilday commented Dec 28, 2020

Github's Dependabot is flagging Gatsby with a vulnerability in highlight.js@^8.1.0 via a dependency on hicat@0.7.0.

The vulnerability is fixed in highlight.js@10.4.1, which hicat@0.8.0 uses.

Updating the hicat dependency in gatsby-recipes should resolve this vulnerability. Pull Request #28545 is already doing that, so getting it reviewed and merged should be enough.
@wkilday wkilday added the type: bug An issue or pull request relating to a bug in Gatsby label Dec 28, 2020
@gatsbot gatsbot bot added the status: triage needed Issue or pull request that need to be triaged and assigned to a reviewer label Dec 28, 2020
@LekoArts LekoArts added type: chore and removed status: triage needed Issue or pull request that need to be triaged and assigned to a reviewer labels Jan 4, 2021
@LekoArts LekoArts mentioned this issue Jan 4, 2021
Merged
JackHowa pushed a commit to JackHowa/gatsby that referenced this issue Jan 5, 2021
chore: Update hicat per security warnings
47a00ab 
Closes gatsbyjs#28781. Based on the work of gatsbyjs#28545 but more specific to hicat
@JackHowa JackHowa mentioned this issue Jan 5, 2021
Closed
@JackHowa
Copy link

JackHowa commented Jan 5, 2021

@LekoArts @wkilday have a more specific pr that might avoid any other ci issues of #28545. Let me know if there's anything else there with #28860

@JackHowa
Copy link

seems like #28545 is ready to go... saw the axios warning in gatsby as well

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: bug An issue or pull request relating to a bug in Gatsby
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(security): update vulnerable packages, include React 17 in peerDeps hoobdeebla/gatsby
3 participants
@JackHowa @wkilday @LekoArts