Skip to content

Tracking: Docusaurus transitive dependency vulnerabilities #96

New issue
New issue
Open
Open
Tracking: Docusaurus transitive dependency vulnerabilities#96
Labels
dependenciesPull requests that update a dependency file
@nitrobass24

Description

@nitrobass24
nitrobass24
opened on Feb 28, 2026

Overview

5 Dependabot alerts remain open that are unfixable until Docusaurus updates their upstream dependencies. These only affect the static docs site build process — they are not shipped in the Docker image.

Open Alerts

Alert Package Severity Issue
#53 esbuild <=0.24.2 Medium Dev server request reading (pinned by wrangler)
#79 minimatch <3.1.3 High ReDoS (pinned by serve-handler)
#84 minimatch <3.1.4 High ReDoS extglobs (pinned by serve-handler)
#85 minimatch <3.1.3 High ReDoS GLOBSTAR (pinned by serve-handler)
#86 serialize-javascript <=7.0.2 High RCE via RegExp (pinned by terser-webpack-plugin)

Why they can't be fixed now

All 5 are transitive dependencies deep in the Docusaurus dependency tree (@docusaurus/core -> serve-handler -> minimatch, webpack -> terser-webpack-plugin -> serialize-javascript, etc.). There are no compatible upstream patches available.

Action items

  • Monitor Docusaurus releases for dependency updates
  • Re-run npm update in website/ after a new Docusaurus version and check if alerts resolve
  • Close this issue when all 5 alerts are resolved

Metadata

Metadata

Assignees

No one assigned

    Labels

    dependenciesPull requests that update a dependency file

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions