break(mdx-loader): replace unmaintained image-size dependency with image-dimensions#12235
break(mdx-loader): replace unmaintained image-size dependency with image-dimensions#122351012ayush wants to merge 2 commits into
Conversation
✅ [V2]Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
There was a problem hiding this comment.
Unit tests do not pass.
image-size remains a dependency.
The 2 libraries can behave differently: this is a breaking change.
That can affect Docusaurus users. If we merge this, you must document it throughtly to explain the potential impact for Docusaurus users. What are the potential problems they'll encounter? How do they fix these problems? These will have to be written down exhaustively on our v4 changelog, so a good first step is to list that in the PR first.
The work is not only to swap the dependency, but also to document the swap and minimize the downsides for our community.
| "file-loader": "^6.2.0", | ||
| "fs-extra": "^11.2.0", | ||
| "image-dimensions": "^2.5.1", | ||
| "image-size": "^2.0.2", |
There was a problem hiding this comment.
If we stop using image-size, it must be removed entirely from our dependency
make sure it's also removed from our monorepo, we use it in other places
…and fix dimension error handling
|
@slorber Thank you for the detailed review here and for the broader architectural context provided on the issue thread regarding CVE severities in build tools. I completely agree with the philosophy that the rollout plan and ecosystem impact matter far more than just satisfying an NPM audit bot. I have pushed a new commit addressing all your points: Fully removed image-size: The dependency has been completely uninstalled across all workspaces, and the root package.json along with pnpm-lock.yaml have been cleanly updated. The Fix: I updated transformImage in the MDX loader to explicitly check for !size and throw an error, which successfully triggers the existing Docusaurus logger.warn fallback. This effectively replicates the old behavior, ensuring zero disruption to existing error-handling paths. Regarding the Rollout Plan: Migration Guide (v4 Changelog) |
Motivation
This PR addresses issue #12231. The
image-sizedependency inside@docusaurus/mdx-loaderis unmaintained and currently has active CVEs (CVE-2025-71329, CVE-2025-71330) regarding infinite loop DOS vulnerabilities.I have replaced it with the actively maintained
image-dimensionspackage. To ensure security and compatibility, the new implementation uses Node's nativefs.readFileto securely load the image into a memory buffer before calculating the dimensions, bypassing the file-system vulnerabilities of the previous package.Test Plan
I verified this fix through the following steps:
pnpmworkspace commands to ensure lockfile integrity.toImageRequireNodeinsrc/remark/transformImage/index.tsto utilize the new buffer-based API.size.widthandsize.height.pnpm --filter @docusaurus/mdx-loader testlocally to ensure no existing image transformation tests break.Test links
https://deploy-preview-__12235___--docusaurus-2.netlify.app/
Related issues/PRs
Fixes #12231