Skip to content

DOC-3386 - Consolidate dependency security fixes#4130

Open
kemister85 wants to merge 1 commit intomainfrom
fix/consolidated-dependency-security
Open

DOC-3386 - Consolidate dependency security fixes#4130
kemister85 wants to merge 1 commit intomainfrom
fix/consolidated-dependency-security

Conversation

@kemister85
Copy link
Copy Markdown
Contributor

@kemister85 kemister85 commented May 6, 2026
edited
Loading

Ticket: DOC-3386

Site: N/A (dependency-only change, no content changes)

Changes:

  • Upgrade http-server from ^0.12.3 to ^14.1.1 — v14 no longer uses ecstatic, eliminating that attack surface entirely
  • Remove ecstatic devDependency (no longer needed)
  • Add a single yarn resolution for liquidjs (>=10.25.7) — the only transitive vulnerability not fixable via a direct dependency upgrade (@tinymce/antora-extension-livedemos pins ^9.37.0; a proper fix requires publishing a new version of that package)

Result: yarn audit reports 0 vulnerabilities. Build and serve both work (liquidjs 10.x is backwards-compatible for the templating features used by the live demos extension).

Supersedes #4028, #4093, #4094, #4102, #4120, #4121, #4122. Once merged, those PRs can be closed.

Pre-checks:

  • Branch prefixed with fix/.
  • modules/ROOT/nav.adoc has been updated (if applicable). N/A — no content changes.
  • Included a release note entry for any New product features. N/A.
  • If this is a minor release, updated productminorversion in antora.yml and added new supported versions entry. N/A.

Review:

  • Documentation Team Lead has reviewed

@kemister85
DOC-3386: Consolidate dependency security fixes
d4eb05f 
- Upgrade http-server from ^0.12.3 to ^14.1.1 (v14 drops ecstatic)
- Remove ecstatic devDependency (no longer needed)
- Add liquidjs resolution (>=10.25.7) — the only transitive
  vulnerability not fixable via direct dependency upgrade
  (@tinymce/antora-extension-livedemos pins ^9.37.0)

Supersedes #4028, #4093, #4094, #4102, #4120, #4121, #4122.
yarn audit: 0 vulnerabilities.
@kemister85 kemister85 requested a review from a team as a code owner May 6, 2026 00:27
@kemister85 kemister85 requested review from a team, Kuba-K-Tiugo, TheSpyder, kimwoodfield, metricjs, shanmen-tiny and tiny-ben-tran and removed request for a team May 6, 2026 00:27
ShiridiGandham
ShiridiGandham approved these changes May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@ShiridiGandham ShiridiGandham left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ShiridiGandham ShiridiGandham ShiridiGandham approved these changes

@tiny-ben-tran tiny-ben-tran tiny-ben-tran approved these changes

@Kuba-K-Tiugo Kuba-K-Tiugo Awaiting requested review from Kuba-K-Tiugo Kuba-K-Tiugo is a code owner automatically assigned from tinymce/documentation-contributors

@metricjs metricjs Awaiting requested review from metricjs metricjs was automatically assigned from tinymce/editor-platform-team

@kimwoodfield kimwoodfield Awaiting requested review from kimwoodfield kimwoodfield was automatically assigned from tinymce/editor-platform-team

@shanmen-tiny shanmen-tiny Awaiting requested review from shanmen-tiny shanmen-tiny was automatically assigned from tinymce/editor-platform-team

@TheSpyder TheSpyder Awaiting requested review from TheSpyder

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kemister85 @ShiridiGandham @tiny-ben-tran