[Bug]: @fluentui/react-monaco-editor 1.7.373 depends on insecure packages #35325
Description
Component
Accordion
Package version
1.7.373
React version
19.1.1
Environment
System:
OS: Windows 11 10.0.26200
CPU: (32) x64 AMD Ryzen Threadripper PRO 3955WX 16-Cores
Memory: 101.27 GB / 127.86 GB
Browsers:
Edge: Chromium (141.0.3537.57), ChromiumDev (142.0.3581.0)Current Behavior
When installing react-monaco-editor it depends transitively on packages with CVE's:
- highlight.js - 9.13.1 - Deprecated
- highlight.js - 9.13.1 - CVE-2020-26237 - (GitHub Advisories)
- highlight.js - 9.13.1 - GHSA-7wwv-vh3v-89cq - (GitHub Advisories)
- dompurify - 3.1.7 - CVE-2025-26791 - (GitHub Advisories)
- prismjs - 1.17.1 - CVE-2020-15138 - (GitHub Advisories)
- prismjs - 1.17.1 - CVE-2021-23341 - (GitHub Advisories)
- prismjs - 1.17.1 - CVE-2021-32723 - (GitHub Advisories)
Expected Behavior
The latest version to not depend on packages that are deprecated or have CVE's
Reproduction
create a clean project and add @fluentui/react-monaco-editor current version added is: 1.7.375 and then run npm audit
Steps to reproduce
mkdir testingcd testingyarn initA bunch of enters to create the package
npm add @fluentui/react-monaco-editornpm audit
Result:
# npm audit report
highlight.js <=10.4.0
Severity: moderate
ReDOS vulnerabities: multiple grammars - https://github.com/advisories/GHSA-7wwv-vh3v-89cq
Prototype Pollution in highlight.js - https://github.com/advisories/GHSA-vfrc-7r7c-w9mx
No fix available
node_modules/highlight.js
lowlight <=1.16.0
Depends on vulnerable versions of highlight.js
node_modules/lowlight
react-syntax-highlighter <=12.2.1
Depends on vulnerable versions of highlight.js
Depends on vulnerable versions of lowlight
Depends on vulnerable versions of refractor
node_modules/react-syntax-highlighter
@fluentui/react-monaco-editor *
Depends on vulnerable versions of react-syntax-highlighter
node_modules/@fluentui/react-monaco-editor
prismjs <=1.29.0
Severity: high
Cross-Site Scripting in Prism - https://github.com/advisories/GHSA-wvhm-4hhf-97x9
prismjs Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-hqhp-5p83-hx96
Regular Expression Denial of Service (ReDoS) in Prism - https://github.com/advisories/GHSA-gj77-59wh-66hg
Cross-site Scripting in Prism - https://github.com/advisories/GHSA-3949-f494-cm99
Denial of service in prismjs - https://github.com/advisories/GHSA-h4hr-7fg3-h35w
PrismJS DOM Clobbering vulnerability - https://github.com/advisories/GHSA-x7hr-w5r2-h6wg
No fix available
node_modules/refractor/node_modules/prismjs
refractor <=3.4.0 || 4.0.0 - 4.1.1
Depends on vulnerable versions of prismjs
node_modules/refractor
Are you reporting an Accessibility issue?
None
Suggested severity
Medium - Has workaround
Products/sites affected
No response
Are you willing to submit a PR to fix?
no
Validations
- Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
- The provided reproduction is a minimal reproducible example of the bug.