Tracking: Docusaurus transitive dependency vulnerabilities

[nitrobass24]

Overview

Dependabot alerts for transitive dependencies in the Docusaurus docs site. These only affect the static docs site build process — they are not shipped in the Docker image.

Status (updated 2026-04-22)

All original alerts are resolved. One new alert appeared.

Resolved

Alert	Package	Resolution
#53	esbuild <=0.24.2	No longer in dependency tree (Docusaurus 3.10.0)
#79	minimatch <3.1.3 (ReDoS)	Updated to 3.1.5 via serve-handler
#84	minimatch <3.1.4 (ReDoS extglobs)	Updated to 3.1.5 via serve-handler
#85	minimatch <3.1.3 (ReDoS GLOBSTAR)	Updated to 3.1.5 via serve-handler
#111	serialize-javascript <=7.0.4	Fixed upstream in Docusaurus dependency update

Still Open

Alert	Package	Installed	Fix	Issue
#131	uuid <14.0.0	8.3.2 (medium)	Needs ≥14.0.0	Pinned by sockjs in webpack-dev-server via @docusaurus/core

Why it can't be fixed now

uuid@8.3.2 is a transitive dependency in the Docusaurus dev server chain (@docusaurus/core → webpack-dev-server → sockjs → uuid). sockjs pins uuid to ^8.3.2. There is no compatible upstream patch available.

Action items

• Monitor Docusaurus releases for dependency updates (3.10.0 resolved minimatch + esbuild)
• Monitor for serialize-javascript fix (resolved)
• Monitor for sockjs or webpack-dev-server release that updates uuid to ≥14.0.0
• Close this issue when alert Bump hono from 4.12.3 to 4.12.5 in /src/angular #131 is resolved