Skip to content

break(mdx-loader): replace unmaintained image-size dependency with image-dimensions#12235

Draft
1012ayush wants to merge 2 commits into
facebook:mainfrom
1012ayush:fix-image-size-cve-v2
Draft

break(mdx-loader): replace unmaintained image-size dependency with image-dimensions#12235
1012ayush wants to merge 2 commits into
facebook:mainfrom
1012ayush:fix-image-size-cve-v2

Conversation

@1012ayush

@1012ayush 1012ayush commented Jul 7, 2026

Copy link
Copy Markdown

Motivation

This PR addresses issue #12231. The image-size dependency inside @docusaurus/mdx-loader is unmaintained and currently has active CVEs (CVE-2025-71329, CVE-2025-71330) regarding infinite loop DOS vulnerabilities.

I have replaced it with the actively maintained image-dimensions package. To ensure security and compatibility, the new implementation uses Node's native fs.readFile to securely load the image into a memory buffer before calculating the dimensions, bypassing the file-system vulnerabilities of the previous package.

Test Plan

I verified this fix through the following steps:

  1. Replaced the dependency via pnpm workspace commands to ensure lockfile integrity.
  2. Updated toImageRequireNode in src/remark/transformImage/index.ts to utilize the new buffer-based API.
  3. Handled TypeScript strict mode checks for size.width and size.height.
  4. Successfully ran pnpm --filter @docusaurus/mdx-loader test locally to ensure no existing image transformation tests break.

Test links

https://deploy-preview-__12235___--docusaurus-2.netlify.app/

Related issues/PRs

Fixes #12231

@meta-cla meta-cla Bot added the CLA Signed Signed Facebook CLA label Jul 7, 2026
@netlify

netlify Bot commented Jul 7, 2026

Copy link
Copy Markdown

[V2]

Built without sensitive environment variables

Name Link
🔨 Latest commit 130b44d
🔍 Latest deploy log https://app.netlify.com/projects/docusaurus-2/deploys/6a4ffe86a858a1000772b4a8
😎 Deploy Preview https://deploy-preview-12235--docusaurus-2.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@slorber slorber added Argos Add this label to run UI visual regression tests. See argos.yml GH action. pr: maintenance This PR does not produce any behavior differences to end users when upgrading. pr: breaking change Existing sites may not build successfully in the new version. Description contains more details. and removed pr: maintenance This PR does not produce any behavior differences to end users when upgrading. labels Jul 9, 2026
@slorber slorber changed the title fix(mdx-loader): replace unmaintained image-size dependency with imag… break(mdx-loader): replace unmaintained image-size dependency with image-dimensions Jul 9, 2026

@slorber slorber left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unit tests do not pass.

image-size remains a dependency.

The 2 libraries can behave differently: this is a breaking change.

That can affect Docusaurus users. If we merge this, you must document it throughtly to explain the potential impact for Docusaurus users. What are the potential problems they'll encounter? How do they fix these problems? These will have to be written down exhaustively on our v4 changelog, so a good first step is to list that in the PR first.

The work is not only to swap the dependency, but also to document the swap and minimize the downsides for our community.

"file-loader": "^6.2.0",
"fs-extra": "^11.2.0",
"image-dimensions": "^2.5.1",
"image-size": "^2.0.2",

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we stop using image-size, it must be removed entirely from our dependency

make sure it's also removed from our monorepo, we use it in other places

@slorber slorber marked this pull request as draft July 9, 2026 15:25
@1012ayush

Copy link
Copy Markdown
Author

@slorber Thank you for the detailed review here and for the broader architectural context provided on the issue thread regarding CVE severities in build tools. I completely agree with the philosophy that the rollout plan and ecosystem impact matter far more than just satisfying an NPM audit bot.

I have pushed a new commit addressing all your points:

Fully removed image-size: The dependency has been completely uninstalled across all workspaces, and the root package.json along with pnpm-lock.yaml have been cleanly updated.
Fixed Unit Tests: * Updated website/src/data/tests/user.test.ts to use image-dimensions alongside a robust buffer strategy.
The Behavioral Difference: I found that the primary difference causing tests to fail was error handling. The old image-size package threw hard errors on corrupted/invalid images, whereas image-dimensions simply returns undefined.

The Fix: I updated transformImage in the MDX loader to explicitly check for !size and throw an error, which successfully triggers the existing Docusaurus logger.warn fallback. This effectively replicates the old behavior, ensuring zero disruption to existing error-handling paths.

Regarding the Rollout Plan:
Because I was able to match the old error-handling behavior, the impact on users should be minimal. However, if you still feel the siteConfig.markdown.hooks.measureImage() hook mentioned in the issue is necessary as a safety net for v4, I would be more than happy to build and implement that hook for this PR.
Here is the draft for the v4 Changelog based on the current changes:

Migration Guide (v4 Changelog)
Breaking Change: Replaced image-size with image-dimensions in @docusaurus/mdx-loader
Why?
The image-size package was unmaintained and flagged with DOS vulnerabilities. We migrated to the actively maintained image-dimensions package.
Impact & Potential Issues:
The underlying algorithm for calculating image dimensions has changed. While standard PNGs/JPEGs will behave normally, users relying on heavily customized or edge-case image formats (like SVGs without explicit viewboxes) might notice slight differences in how width/height attributes are auto-calculated during the build step.
How to fix:
If your image dimensions are missing or calculating incorrectly in v4, ensure your image files (especially SVGs) have explicit width and height attributes defined within the file itself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Argos Add this label to run UI visual regression tests. See argos.yml GH action. CLA Signed Signed Facebook CLA pr: breaking change Existing sites may not build successfully in the new version. Description contains more details.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Replace unmaintained dependency image-size with active CVEs (CVSS 7.5)

2 participants