*misunderstanding*

[tats-u]

Have you read the Contributing Guidelines on issues?

• I have read the Contributing Guidelines on issues.

Motivation

https://github.com/vercel/serve/releases

The latest version of serve-handler (v14.2.6) has just updated the versions of its dependencies to patch their security vulnerabilities. However, that used by Docusaurus is too old to get its benefits:

docusaurus/packages/docusaurus/package.json

Line 70 in ea921cb

"serve-handler": "^6.1.6",

There is a PR to use ^ versioning there: https://github.com/vercel/serve/pull/847; Docusaurus will not get benefit from it even if it is merged and shipped.

You need to override a transitive dependency minimatch to silence Dependabot, which is not a healthy practice. You have only to (p)npm update.

Self-service

• I'd be willing to do some initial work on this proposal myself.

[tats-u]

Confused with serve. The latest version of serve-handler is 6.1.7. Since ^ has already been added, it can be dealt with regular version updates. Closing. https://github.com/vercel/serve-handler/releases

[slorber]

serve is a high-level cli/tool, and we use the lower-level serve-handler package

[tats-u]

Right, sorry