posibility of a 8.0.4 release with less strict trim version dependecy

[salzig]

Subject of the issue

The 8.0 branch of remark-parse requires trim in verison "0.0.1", which has a security problem (see: https://www.npmjs.com/advisories/1700).

Is there any posibility that you could release an update to 8.0.3 (ie 8.0.4) that introduces a less strict version dependency for trim?

[wooorm]

This is unlikely to affect you. You could use patch-package if you have to support old remark to get around it. Or update to remark@13. mdx-js/mdx@next and most of the ecosystem has updated already

[wooorm]

More of an mdx-js/mdx issue: you’ve seen the reports and results there.

[salzig]

except remark-mdx@1.6.22 which is used by @mdx-js/mdx@1.6.22 which is used by @storybook/addon-docs@6.2.9.

A patch release of remark-parse with a less strict version dependency for trim would allow me to reopen the @mdx-js/mdx#1548 issue, so they could introduce a less strict version dependency.

[salzig]

I'm amazed. Is releasing a patch version that opens for patch updates of "trim" really that hard to accomplish that it is instead suggested to use unstable "next"-releases?

EDIT: even if that is your opionion, i would still consider hart patchlevel pinning of dependency a bug, as this is blocking potential security updates.

[wooorm]

It's impossible to not pin 0.0.1. I raised that 5 years ago: component/trim#7 (comment)

[ChristianMurphy]

that it is instead suggested to use unstable "next"-releases?

As noted in mdx-js/mdx#1548 (comment), MDX 2 is one option.
XDM is another, and does have remark-parse 9+ on a stable release.

blocking potential security updates.

Please read the advisory https://www.npmjs.com/advisories/1700
This is not an exploit, it is a potential slow down.
remark-parse 9 and mdx 2/xdm include performance improvements for this, and other performance improvements.

[salzig]

This is not an exploit, it is a potential slow down.

This is true for this situation. But still it would be a lot nicer/easier to have a way to handle this without doing a major update, which makes a lot of people, especially QA-People, nervous

It's impossible to not pin 0.0.1. I raised that 5 years ago

oh man, what a strange part of our dependcy tree. I think we need to prioritize some updates for our app.

[MoSattler]

It's impossible to not pin 0.0.1. I raised that 5 years ago: component/trim#7 (comment)

hey @wooorm, I don't quite understand why it's impossible to not pin that dependency. I think I am missing something. Can you elaborate a bit?

[wooorm]

https://semver.org/#spec-item-4. Before semver 1.0.0, every change is a breaking change. So updates aren’t pulled in.