Using shadcn with highly vulnerable dependencies
Answered
Asian black bear posted this in #help-forum
Asian black bearOP
Hi there!, I hope this is the correct place to ask as I couldnt find a vercel/shadcn specific discord.
Installing the latest version of shadcn includes vulnerable dependencies (see https://github.com/shadcn-ui/ui/pull/4397)
Is it save to ignore them? / Are you using shadcn regardless?
Installing the latest version of shadcn includes vulnerable dependencies (see https://github.com/shadcn-ui/ui/pull/4397)
Is it save to ignore them? / Are you using shadcn regardless?
Answered by joulev
the dependency is only used in the main shadcn website (ui.shadcn.com) and the CLI. the source code of shadcn components are not affected, so there is no need to worry.
3 Replies
@Asian black bear Hi there!, I hope this is the correct place to ask as I couldnt find a vercel/shadcn specific discord.
Installing the latest version of shadcn includes vulnerable dependencies (see https://github.com/shadcn-ui/ui/pull/4397)
Is it save to ignore them? / Are you using shadcn regardless?
the dependency is only used in the main shadcn website (ui.shadcn.com) and the CLI. the source code of shadcn components are not affected, so there is no need to worry.
Answer
if you want to avoid the dependency at all cost, simply follow manual installation steps of the components (rather than using the CLI), then it will work just fine and the dependency is never used in the process