[PR] fix: upgrade Docusaurus from 2.0.0-beta to 3.9.2 to resolve all security vulnerabilities [apisix-website]

Thu, 12 Mar 2026 22:13:10 -0700 


Baoyuantop opened a new pull request, #2004:
URL: https://github.com/apache/apisix-website/pull/2004

   ## Summary
   
   Upgrade all three workspaces (website, doc, blog) from Docusaurus 
2.0.0-beta.6/beta.8 to 3.9.2 to resolve **all 1,605 npm audit vulnerabilities 
to 0**.
   
   ## What changed
   
   ### Dependencies (Phase 1 & 7)
   - Upgrade `@docusaurus/*` packages from `2.0.0-beta.6`/`2.0.0-beta.8` to 
`3.9.2` across all workspaces
   - Upgrade `@mdx-js/react` from `^1.6.22` to `^3.0.0`
   - Upgrade `prism-react-renderer` from `^1.2.1` to `^2.3.0`
   - Upgrade `react`/`react-dom` from `^17.0.2` to `^18.2.0`
   - Remove unused `swiper` dependency (Critical XSS vulnerability, no code 
references found)
   - Remove `patch-package` + `postinstall-postinstall` (all patches deleted, 
Low vulnerability via `tmp`)
   - Add `serialize-javascript: ">=7.0.3"` resolution to fix High vulnerability 
in Docusaurus transitive dependency
   
   ### Config Migration (Phase 2)
   - Migrate all 4 `docusaurus.config.js` files to v3 format
   
   ### MDX v3 Fixes (Phase 3)
   - Fix 17 blog posts (9 English, 8 Chinese) with MDX v3 incompatible syntax 
(unescaped `{`, bare URLs in JSX context, inline JSON in tables)
   
   ### Swizzled Theme Components (Phase 4)
   - Delete obsolete v2 swizzled components: `DocPage`, `DocSidebar`, 
`SearchBar`, `CodeBlock`
   - Replace with v3 equivalents where needed (`MDXComponents.tsx`, 
`DocSidebar/Desktop/Content.tsx`)
   - Migrate all v2-only theme APIs to v3 counterparts
   
   ### Build & CI (Phase 5, 6, 8)
   - Update `tsconfig.json` files for Docusaurus 3 compatibility
   - Delete all `patch-package` patches (4 files)
   - Update GitHub Actions workflows: Node 12/16 to Node 18
   
   ## Build Verification
   
   | Build | Status |
   |-------|--------|
   | `yarn build:website` (en + zh) | Pass |
   | `yarn build:blog:en` | Pass |
   | `yarn build:blog:zh` | Pass |
   | `yarn build:doc` | Requires `yarn sync-docs` (data dependency, not a code 
issue) |
   | `yarn audit` | **0 vulnerabilities** |
   
   ## Security Impact
   
   | Metric | Before | After |
   |--------|--------|-------|
   | npm audit vulnerabilities | 1,605 | **0** |
   | Critical | 1 | 0 |
   | High | 62 | 0 |
   | Moderate | 786 | 0 |
   | Low | 756 | 0 |
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to