[Security issue] @stoplight/elements still relies on @sentry/[email protected]

[thomas-spinergie]

Context

Hi,

I have a security/dependabot issue opened when I use the latest @stoplight/elements regarding the usage of @sentry/[email protected].

I can see this dependency has been dropped (which is great):
#2720
stoplightio/react-error-boundary@e63e982

But still it looks it remains an issue

Current Behavior

When I do yarn add @stoplight/elements it also keep installing the @stoplight/[email protected] (additionally to the v3.0.0) which itself depends on @sentry/browser. I did a yarn why to detect where it come from:

yarn why @stoplight/react-error-boundary
yarn why v1.22.22
[1/4] Why do we have the module "@stoplight/react-error-boundary"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "@stoplight/[email protected]"
info Has been hoisted to "@stoplight/react-error-boundary"
info Reasons this module exists
   - Hoisted from "@stoplight#elements#@stoplight#elements-core#@stoplight#json-schema-viewer#@stoplight#react-error-boundary"
   - Hoisted from "@stoplight#elements#@stoplight#elements-core#@stoplight#markdown-viewer#@stoplight#react-error-boundary"

It seems that @stoplight#elements#@stoplight#elements-core#@stoplight#json-schema-viewer and @stoplight#elements#@stoplight#elements-core#@stoplight#markdown-viewer needs to force resolution to use as well @stoplight/[email protected] ?

Expected Behavior

@sentry/[email protected] and @stoplight/[email protected] shouldn't be installed anymore when using the latest of @stoplight/elements.

Possible Workaround/Solution

• Upgrade resolutions for json-schema-viewer and markdown-viewer ?

Steps to Reproduce

• yarn add @stoplight/elements and yarn why @stoplight/react-error-boundary

[github-actions]

This ticket has been labeled jira. A tracking ticket in Stoplight's Jira (PROVCON-3125) has been created.