Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lexical/react lib showing vulnerability for dependency lib prism #7312

Closed
dhavalptl opened this issue Mar 10, 2025 · 3 comments · Fixed by #7313
Closed

Lexical/react lib showing vulnerability for dependency lib prism #7312

dhavalptl opened this issue Mar 10, 2025 · 3 comments · Fixed by #7313

Comments

@dhavalptl
Copy link

dhavalptl commented Mar 10, 2025
edited
Loading

found lexical/react has dependency with prism and it has vulnerability sonatype 7.5 severity and CVE 6.9 severity. I think there is no update from prism long time. Any plan to fix or update lib?
@arbtin
Copy link

arbtin commented Mar 10, 2025

Prismjs just dropped a new 1.30

@davejhilton
Copy link

Yeah, it would be great to get a new release that includes the updated prismjs 1.30

@etrepum etrepum mentioned this issue Mar 11, 2025
Merged
@etrepum
Copy link
Collaborator

etrepum commented Mar 11, 2025

It's not a relevant security advisory unless you are explicitly using the prism-autoloader plug-in (lexical does not use this) and also have user-generated HTML in your page (e.g. that can arbitrarily choose to set id="currentScript", lexical does not do that either)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[lexical-code] Chore: Update prismjs dependency to 1.30.0 etrepum/lexical
4 participants
@etrepum @davejhilton @arbtin @dhavalptl