Skip to content

@react-email/code-block depends on vulnerable version of prismjs #1943

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
FabianFrank opened this issue Mar 4, 2025 · 7 comments
Closed

@react-email/code-block depends on vulnerable version of prismjs #1943

FabianFrank opened this issue Mar 4, 2025 · 7 comments
Labels
Type: Bug Confirmed bug

Comments

@FabianFrank
Copy link

Describe the Bug

@react-email/code-block depends on vulnerable version of prismjs

See GHSA-x7hr-w5r2-h6wg for vulnerability description.

Unfortunately as of 3/4/2025 https://github.com/PrismJS/prism appears abandoned and has not had a commit in 3 years, so switching dependencies or making @react-email/code-block optional for people that don't need it might help.

Which package is affected (leave empty if unsure)

No response

Link to the code that reproduces this issue

react-email/packages/code-block/package.json

Line 50 in 8dfb96a

"prismjs": "1.29.0"

To Reproduce

Install @react-email/components as described in the docs and check package-lock.json or node_modules for installed dependencies.

Expected Behavior

@react-email/components should not depend on a vulnerable dependency.

What's your node version? (if relevant)

No response
@FabianFrank FabianFrank added the Type: Bug Confirmed bug label Mar 4, 2025
@daveycodez
Copy link

This is showing up in my package now as well. Hope to have this patched asap.

https://github.com/daveyplate/better-auth-ui/security/dependabot/7

@robbertkl
Copy link

There's a new release 1.30.0 now, so this can be updated. I see there are already automated PRs #1948 and #1949.

@golddydev
Copy link

There's a new release 1.30.0 now, so this can be updated. I see there are already automated PRs #1948 and #1949.

When this PR is going to merged.
#1948 is failed

@golddydev golddydev mentioned this issue Mar 11, 2025
Closed
@albertocubeddu
Copy link

+1

@Stefanyshyn
Copy link

When will you publish these changes? They are critical to me.

@josh-respectx
Copy link

Looks like the changes to update prismjs to 1.30.0 have been merged and are included in the latest react-email release (v4.0.3), but it seems that the @react-email/code-block package hasn't been published to npm with that update yet — it's still showing [email protected] as a dependency there.

Just flagging in case this was missed during the release process. Tagging @gabrielmfern here since I saw you merged the changes — really appreciate all the work you’re doing on this project 🙌

@gabrielmfern
Copy link
Collaborator

This has been fixed in @react-email/code-block 0.0.12/@react-email/code-block 0.0.12 and in future versions we'll have it unpinned to avoid these kind of situations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Bug Confirmed bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@FabianFrank @daveycodez @robbertkl @albertocubeddu @Stefanyshyn @gabrielmfern @golddydev @josh-respectx