Skip to content

Fix XSS vulnerability by bumping prismjs version #461

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
iamludal opened this issue Feb 26, 2022 · 8 comments
Closed

Fix XSS vulnerability by bumping prismjs version #461

iamludal opened this issue Feb 26, 2022 · 8 comments

Comments

@iamludal
Copy link

Describe the bug
Dependabot alerted today that the prismjs library (version >= 1.14.0, < 1.27.0) has an XSS vulnerability. React Syntax Highlighter uses prismjs 1.25.0, that could be upgraded to 1.27.0 in order to fix this vulnerability. See screenshot below.

Expected behavior
The prismjs version should be upgraded to 1.27.0.

Screenshots
image

Desktop (please complete the following information):
N/A

Smartphone (please complete the following information):
N/A
This was referenced Feb 26, 2022
Closed
Closed
@icyJoseph
Copy link

Last release was on 2020, I wonder if there's any chance this we'll be released?

@homotechsual
Copy link

homotechsual commented Feb 28, 2022
edited
Loading

@conorhastings is this maintained / active still?

@icyJoseph
Copy link

Just to be clear, at least for my part, I can try to help with maintenance of the package, but ultimately, it is up to the owners to release any update.

@iamludal
Copy link
Author

iamludal commented Mar 2, 2022
edited
Loading

@icyJoseph Actually the last release was on November 2021 (it does not appear in the release section, but in the tags page), so it seams like the project is still maintained.

https://github.com/react-syntax-highlighter/react-syntax-highlighter/tags

@stof
Copy link

stof commented Mar 2, 2022

refractor has backported the prismjs update to their 3.x branch, so you can run yarn upgrade and get a patched between thanks to the caret requirement in react-syntax-highlighter.

@bennycode
Copy link

@conorhastings, @simmerer & @marcodejongh can you please upgrade the "prismjs" dependency? See #459

@simmerer
Copy link
Collaborator

Hey folks, sorry for being away from this for so long. I'll work on getting another release out this weekend.

@simmerer
Copy link
Collaborator

15.5.0 is out: https://github.com/react-syntax-highlighter/react-syntax-highlighter/releases/tag/15.5.0

@TimothyRedPanda TimothyRedPanda mentioned this issue Nov 7, 2024
Merged
@jeremyckahn jeremyckahn mentioned this issue Nov 9, 2024
Merged
@mastudillot mastudillot mentioned this issue Nov 12, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump prismjs from 1.25.0 to 1.27.0
6 participants
@simmerer @stof @bennycode @homotechsual @icyJoseph @iamludal
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy