Dependencies vulnerabilities #144
Comments
|
That is a prerelease, so we're not going to update this yet, since prereleases are generally not considered to be stable. If you'd like to see these patched in a stable version of |
|
Right, that makes sense. |
|
As noted in remarkjs/remark#710, and in several of the duplicate requests in mdx. These performance improvements are a part of MDX 2 beta (see mdx-js/mdx#1041) and in the stable release of XDM (https://github.com/wooorm/xdm). |
|
Shipping a beta or a different library to stable is not in the cards for us, so I'm going to close this issue. Anyone interested is more than welcome to fork and change the core library if they please. We ran a test branch with xdm which can be found here as well 😀 |
|
Is there any plans to resolve this? I like the library, but it damages our ability to automatically audit dependencies, and as such automating the supply chain security if we have to add exceptions. |
|
No, the response above still stands. You are welcome to try the v2 version if you are ready to upgrade that may resolve some of the issues for you, this will be released soon. I also recommend this read -- while security is very important, you also need to think critically about whether npm warnings are actually issues for your app, or whether you are just performing security theater, trying to check of a list of things that are not actually problems. Unless you are passing user input into this library, which I don't think is even possible, none of the vulnerabilities listed are actually vulnerabilities. |
Hello! 👋
Thanks for this awesome npm package. 😄
After installing
next-mdx-remote, I've got 5 high severity vulnerabilities. 😞Link to the
npmadvisory : https://www.npmjs.com/advisories/1700I can't run
npm audit fixto fix them, as far as I know this could be fixed by updating@mdx-js/mdxto2.0.0-next.9, should we upgrade ?The text was updated successfully, but these errors were encountered: