[6 High Vuln] Bump to remark-parse@9.0.0 #312
Labels
📦 area/deps
This affects dependencies
🏡 area/internal
This affects the hidden internals
🔒 area/security
This affects security
external
known issue from external, can't do much by ourselves
👯 no/duplicate
Déjà vu
🙋 no/question
This does not need any changes
🙅 no/wontfix
This is not (enough of) an issue for this project
💬 type/discussion
This is a request for comments
Subject of the issue
Installation creates 6 high vulnerabilities within the project scope which can be avoided since there is a patched solution.
Problem
The derived dependency on
trim@<=0.0.3
which has a high severity vulnerability specifically Regular Expression Denial of Service. This package is relied upon byremark-parse@8.0.3
which is whateslint-plugin-mdx
package uses in src/rules/helpers.ts.This problem cannot be auto-fixed due to the semver major change within remark-parse and for trim itself. NPM will not resolve it without developer intervention. Do not be fooled by npm being able to "fix". It will not actually work since it tries to resolve by downgrading to
eslint-plugin-mdx@1.4.2
instead and then further downgrades but still all rely on trim or have other vulnerabilities.Solution
Major version bump of
remark-parse
tov9.0.0
. Inremark-parse@v9.0.0
, the author removed the dependency ontrim
completely and moved to a separate utility suite for markdown specifically which has 0 known/reported vulnerabilities at this time.CAVEAT: This will only resolve 2 of the 6 listed vulnerabilities from
npm audit
until the eslint-plugin-markdown#188 pull request is resolved.eslint-plugin-mdx
useseslint-plugin-markdown
as a dependency which is why the vulnerability listing will still have 4 remaining. If the resolution version ends up being a major version change foreslint-plugin-markdown
then this repository will need to be updated too. A minor semver change will require users to runnpm audit --fix --force
after installation but if it is only an update then npm should update automatically for new users or manually throughnpm audit --fix
for previous users.Your environment
Steps to reproduce
npm install eslint-plugin-mdx
which installs v1.13.0 from npmjs.comnpm install runs npm audit by default but produces limited report.
npm audit
npm list trim
to see the packages that statetrim@<=0.0.3
as a dependency.Expected behaviour
What should happen?
npm audit
resolves to "0 vulnerabilities".OR
until the caveat is resolved at least down to 4 vulnerabilities listed. With the bump 2 should be resolved. NPM@7 uses npm-audit-report@v2.0.1 which counts one metaVulnerability for each library which depends on a vulnerable package.
Actual behaviour
What happens instead?
npm audit
spits out "6 high severity vulnerabilities" upon audit.The text was updated successfully, but these errors were encountered: