fix: upgrade Docusaurus from 2.0.0-beta to 3.9.2 to resolve all security vulnerabilities#2004
Open
Baoyuantop wants to merge 1 commit intoapache:masterfrom
Open
fix: upgrade Docusaurus from 2.0.0-beta to 3.9.2 to resolve all security vulnerabilities#2004Baoyuantop wants to merge 1 commit intoapache:masterfrom
Baoyuantop wants to merge 1 commit intoapache:masterfrom
Conversation
Baoyuantop
force-pushed
the
upgrade-docusaurus-v3
branch
from
e891d6d to
480088d
Compare
…ity vulnerabilities Upgrade all three workspaces (website, doc, blog) from Docusaurus 2.0.0-beta.6/beta.8 to 3.9.2. This resolves all 1,605 npm audit vulnerabilities (now 0). Major changes: - Migrate all docusaurus.config.js files to v3 format - Fix 17 blog posts (en + zh) with MDX v3 incompatible syntax - Delete obsolete v2 swizzled components (DocPage, DocSidebar, SearchBar, CodeBlock) and replace with v3 equivalents - Migrate all v2-only theme APIs to v3 counterparts - Update CI workflows from Node 12/16 to Node 18 - Remove unused dependencies (patch-package, swiper) - Add serialize-javascript resolution to fix transitive vulnerability - Delete all patch-package patches (no longer needed with v3) - Update tsconfig.json files for Docusaurus 3 compatibility
Baoyuantop
force-pushed
the
upgrade-docusaurus-v3
branch
from
480088d to
9c7acb6
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Upgrade all three workspaces (website, doc, blog) from Docusaurus 2.0.0-beta.6/beta.8 to 3.9.2 to resolve all 1,605 npm audit vulnerabilities to 0.
What changed
Dependencies (Phase 1 & 7)
@docusaurus/*packages from2.0.0-beta.6/2.0.0-beta.8to3.9.2across all workspaces@mdx-js/reactfrom^1.6.22to^3.0.0prism-react-rendererfrom^1.2.1to^2.3.0react/react-domfrom^17.0.2to^18.2.0swiperdependency (Critical XSS vulnerability, no code references found)patch-package+postinstall-postinstall(all patches deleted, Low vulnerability viatmp)serialize-javascript: ">=7.0.3"resolution to fix High vulnerability in Docusaurus transitive dependencyConfig Migration (Phase 2)
docusaurus.config.jsfiles to v3 formatMDX v3 Fixes (Phase 3)
{, bare URLs in JSX context, inline JSON in tables)Swizzled Theme Components (Phase 4)
DocPage,DocSidebar,SearchBar,CodeBlockMDXComponents.tsx,DocSidebar/Desktop/Content.tsx)Build & CI (Phase 5, 6, 8)
tsconfig.jsonfiles for Docusaurus 3 compatibilitypatch-packagepatches (4 files)Build Verification
yarn build:website(en + zh)yarn build:blog:enyarn build:blog:zhyarn build:docyarn sync-docs(data dependency, not a code issue)yarn auditSecurity Impact