Typedoc: Multiple security vulnerabilities in dependencies

Created on 26 Feb 2019 · 4Comments · Source: TypeStrong/typedoc

Hi,

We use yarn and yarn audit in our build pipeline and by upgrading to the latest typedoc version (0.14.2), we have more than 20 vulnerabilities reported in the dependencies of typedoc. I have attached a JSON output containing the details.

audit.json.txt

bug

Source

nseba

Most helpful comment

In the meantime I was able to circumvent this problem by adding this into my package.json:

"resolutions": { "typedoc/highlight.js/gear-lib/knox/debug": "^2.6.9", "typedoc/highlight.js/gear-lib/jshint/cli": "^1.0.0", "typedoc/highlight.js/gear-lib/less/clean-css": "^4.1.11", "typedoc/highlight.js/gear-lib/less/request": "^2.68.0", "typedoc/highlight.js/**/uglify-js": "^2.6.0", "typedoc/highlight.js/**/handlebars": "^4.0.0", "typedoc/highlight.js/**/mime": "^1.4.1", "**/minimatch": "^3.0.2", "**/micromatch/braces": "^2.3.1" }

So far I didn't get any errors when running typedoc, but it solved the audit warning.

nseba on 26 Feb 2019

👍3

All 4 comments

Thanks for sharing, We'll update our dependencies before the next release which should help fix some of these.

aciccarello on 26 Feb 2019

👍1

In the meantime I was able to circumvent this problem by adding this into my package.json:

So far I didn't get any errors when running typedoc, but it solved the audit warning.

nseba on 26 Feb 2019

👍3

Is the next release scheduled soon? Many teams have policies against using modules that have reported security vulnerabilities. This seems like a big deal to be open for nearly a month...

AndrewCraswell on 22 Mar 2019

Sorry, I'm working on some changes that I'm hoping to get into the next release but I may make an interim release.

Most of the security vulnerabilities are things like minimatch so the security vulnerabilities aren't relevant in this use case but I recognize that those things are hard to sort out.

aciccarello on 22 Mar 2019

Was this page helpful?

0 / 5 - 0 ratings