Roadmap to bump plasmicPkgs/plasmic-rich-components -> @ant-design/pro-components dependency?

What are you trying to do?

Resolve a vulnerability with the path-to-regex library that is used in older versions of ant-design/pro-components/pro-layout, exposing the DOS vuln described here. This vuln requires a bump in the package version from 2.4.0 to at least 3.3.0. ant-designs/pro-components has already patched the issue in v2.7.19.

@plasmicpkgs/plasmic-rich-components still requires v2.6.4.

Is there a roadmap to when this dependency version will be bumped?

What are the reproduction steps?

Check out resources linked

Hi @noah_mc-graw
Thank you for reporting this issue. We will review it internally and provide an update accordingly.

Any updates on this @muhammad_asim?

1 Like

Hey @noah_mc-graw ,

Thanks for checking in on this. Due to the nature of the vulnerability, we don’t believe the vulnerable path-to-regexp package version can be exploited based on its usage in @ant-design/pro-layout (see Code search results · GitHub). Since there is non-trivial effort required to upgrade major versions, we have decided to put this in the backlog until we decide to do further work on the rich components.

Thanks for the update here @muhammad_asim!