Advisories for Npm/Docusaurus-Plugin-Content-Gists package

2025

docusaurus-plugin-content-gists vulnerability exposes GitHub Personal Access Token

docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin configuration options. The token, intended for build-time API access only, is inadvertently included in client-side JavaScript bundles, making it accessible to anyone who can view the website's source code.