Baoyuantop opened a new pull request, #1998: URL: https://github.com/apache/apisix-website/pull/1998
## Summary - Upgrade direct dependency `swiper` from `^11.2.6` → `^12.1.2` to fix **Critical** Prototype Pollution vulnerability - Upgrade direct dependency `axios` from `^0.21.1` → `^1.7.9` to fix **High** DoS via `__proto__` key - Add `resolutions` in root `package.json` to force-upgrade 9 vulnerable transitive dependencies ## Dependabot Alerts Addressed (24 open alerts) | Package | Previous | Fixed | Severity | Issue | |---------|----------|-------|----------|-------| | swiper | 11.2.6 | 12.1.2 | 🔴 Critical | Prototype Pollution | | axios | 0.21.4 | 1.13.6 | 🟠 High | DoS via `__proto__` | | immutable | 4.1.0 | 4.3.8 | 🟠 High | Prototype Pollution | | svgo | 2.8.0 | 2.8.2 | 🟠 High | DoS (Billion Laughs) | | serialize-javascript | 6.0.0 | 7.0.4 | 🟠 High | RCE via RegExp.flags | | minimatch | 3.1.2 | 3.1.5 | 🟠 High | ReDoS (4 alerts) | | node-forge | 0.10.0 | 1.3.3 | 🟠 High | ASN.1 vulnerabilities (3 alerts) | | ua-parser-js | 0.7.31 | 0.7.41 | 🟠 High | ReDoS | | semver | 5.7.1 | 7.7.4 | 🟠 High | ReDoS | | lodash | 4.17.21 | 4.17.23 | 🟡 Medium | Prototype Pollution in `_.unset`/`_.omit` | | js-yaml | < 4.1.1 | 4.1.1 | 🟡 Medium | Prototype Pollution in merge | ## Approach 1. **Direct dependencies** (`swiper`, `axios`): version bumped in their respective workspace `package.json` files 2. **Transitive dependencies**: added `resolutions` field in root `package.json` to force-upgrade across the entire monorepo (including nohoist `doc` workspace) ## Risk Assessment - **swiper v12**: No swiper imports found anywhere in the codebase — zero runtime risk - **axios v1.x**: Only used in `scripts/` for simple `axios.get()` and `axios.defaults.timeout` — fully compatible API - **resolutions overrides**: All are semver-compatible patch/minor bumps except `serialize-javascript` (6→7), which is a simple serialization library with stable API ## Note The root cause of most transitive dependency vulnerabilities is the outdated `@docusaurus/[email protected]`. A Docusaurus upgrade to v3.x would eliminate many of these issues at the source, but that's a significantly larger migration out of scope for this security fix. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
