Docusaurus: Installing docusaurus causes security vulnerabilities

Created on 18 Apr 2019 · 5Comments · Source: facebook/docusaurus

🐛 Bug Report

NPM reports vulnerabilities upon installing Docusaurus.
node version: v11.10.1
npm verison: 6.9.0
OS: MacOS Mojave

Have you read the Contributing Guidelines on issues?

Yes

To Reproduce

(Write your steps here:)

npm install docusaurus

Expected behavior

The package should install without any security vulnerabilites,

Actual Behavior

| Moderate | Denial of Service |
|---------------------------------------------------------------------|----------------------------|
| Package | js-yaml |
| Patched in | >=3.13.0 |
| Dependency of | docusaurus [dev] |
| Path | docusaurus > cssnano > postcss-svgo > svgo > js-yaml |
| More info| https://npmjs.com/advisories/788 |

───────────────────────────────────────────

| High | Code Injection|
|---------------------------------------------------------------------|----------------------------|
| Patched in | >=3.13.1 |
| Dependency of | docusaurus [dev] |
| Path | docusaurus > cssnano > postcss-svgo > svgo > js-yaml |
| More info| https://npmjs.com/advisories/813 |

───────────────────────────────────────────

| Moderate | Regular Expression Denial of Service |
|---------------------------------------------------------------------|----------------------------|
| Package | underscore.string |
| Patched in | >=3.3.5 |
| Dependency of | docusaurus [dev] |
| Path | docusaurus > markdown-toc > remarkable > argparse > underscore.string |
| More info | https://npmjs.com/advisories/745 |

───────────────────────────────────────────

| Moderate | Regular Expression Denial of Service |
|---------- |----------------------------|
| Package | underscore.string |
| Patched in | >=3.3.5 |
| Dependency of | docusaurus [dev] |
| Path | docusaurus > remarkable > argparse > underscore.string |
| More info | https://npmjs.com/advisories/745 |

───────────────────────────────────────────

| Low | Regular Expression Denial of Service |
|-----|--------------------------------------|
| Package | debug |
| Patched in| >= 2.6.9 < 3.0.0 || >= 3.1.0 |
| Dependency of| docusaurus [dev] |
| Path| docusaurus > tcp-port-used > debug |
| More info| https://npmjs.com/advisories/534 |

───────────────────────────────────────────

All the above dependent packages have fixed their bugs. docusaurus need to upgrade the dependencies.

starter good first issue help wanted

Source