Have you read the Contributing Guidelines on issues?
Prerequisites
Description
@docusaurus/core depends on wait-on@^7.0.1, which in turn depends on axios@^0.27.2. This version will now trigger GitHub vulnerability warnings due to axios/axios#6006 effecting axios before 1.6.0.
The newest version of wait-on still depends on old version of axios. Docusaurus only uses it in a single place, so it seems reasonable to remove or replace the dependency with something else.
|
import waitOn from 'wait-on'; |
Reproducible demo
No response
Steps to reproduce
yarn audit Docusaurus app
Expected behavior
Audit is clean
Actual behavior
Audit shows vulns from axios
Your environment
No response
Self-service
Have you read the Contributing Guidelines on issues?
Prerequisites
npm run clearoryarn clearcommand.rm -rf node_modules yarn.lock package-lock.jsonand re-installing packages.Description
@docusaurus/coredepends onwait-on@^7.0.1, which in turn depends onaxios@^0.27.2. This version will now trigger GitHub vulnerability warnings due to axios/axios#6006 effectingaxiosbefore1.6.0.The newest version of
wait-onstill depends on old version of axios. Docusaurus only uses it in a single place, so it seems reasonable to remove or replace the dependency with something else.docusaurus/packages/docusaurus/src/webpack/plugins/WaitPlugin.ts
Line 10 in b464545
Reproducible demo
No response
Steps to reproduce
yarn auditDocusaurus appExpected behavior
Audit is clean
Actual behavior
Audit shows vulns from axios
Your environment
No response
Self-service