Does grunt-karma in core libs for Quarto blog need a security update?

[nucleic-acid]

Description

I got a security alert from github dependabot in the repository of my personal quarto blog, stating that
"Prototype pollution vulnerability in karma-runner grunt-karma 4.0.1 via the key variable in grunt-karma.js"

The affected file is _freeze/site_libs/core-js-2.5.3/package.json

Is there some way to update this myself?

[cscheid]

We don't put package.json files in your _files directory or use grunt ourselves. That's something you did, I'm pretty sure.

[cscheid]

./_posts/2021-08-22-tea-earl-grey-hot-tidytuesday-2021-week-34/tea-earl-grey-hot-tidytuesday-2021-week-34_files/core-js-2.5.3/package.json :)

[cscheid]

I don't understand how you generated that file, but it looks like it's from RMarkdown and this source, since I assume you weren't using quarto 2 years ago.

In any case, quarto doesn't put package.json files in your _files directory, ever, unless you have package.json files yourself. In that case, there's nothing we can do.

[nucleic-acid]

Thanks for your replies!

That's odd, I have no idea what that grunt-karma.js or core,js is. I certainly did not add the package.json manually.
That might be some old library from the distill legacy of the blog...
I'll see if I can find what depends on it and remove that.

If I find something of interest, I'll post it here for documentation purpose.

[jhk0530]

Hi @nucleic-acid, I had the same issue and figured out what was causing it.

As @cscheid mentioned, it is not from quarto's problem. but from R code chunk.

When you use the reactable to render table in quarto. it will include core-js-2.5.3 which cause these grunt problems.

I'm not sure why it happened, But to solve this issue change reactable to other table package.

For me, I changed reactable into knitr::kable.

Hope this helpful.

[jhk0530]

actually not reactable, but reactR (see this glin/reactable#245)

[nucleic-acid]

Thanks a lot! Never really found the time to look into it deeper.