Description
Prerequisites
- I have searched the open issues to make sure I'm not opening a duplicate issue
- I have read through the docs before asking a question
- I am using the latest version of Spectacle
Describe Your Environment
What version of Spectacle are you using? (can be found by running npm list --depth 0 spectacle)
10.1.4
What version of React are you using? (can be found by running npm list --depth 0 react)
18.2.0
What browser are you using? (e.g., Chrome 105.0.5195.102, Safari 16.0)
Safari Version 16.4 (18615.1.26.11.23)
What platform are you on? (e.g., Windows, macOS, iOS, Android)
macOS
Describe the Problem
- Install Spectacle by running
npm add spectacle. - Push code to GitHub.
- Enable GitHub Dependabot alerts.
Expected behavior: [What you expect to happen]
I expect Dependabot to generate zero security alerts.
Actual behavior: [What actually happens]
Dependabot generates alert regarding Regular Expression Denial of Service in trim. The advisory is detailed here: GHSA-w5p7-h5w8-2hfq
Additional Information
Seems like version 8.0.3 of remark-parse is the package that depends on the vulnerable 0.0.1 version of trim. Starting from version 9.0.0, remark-parse does not seem to depend on trim anymore.
Therefore the issue may be resolved by updating remark-parse. I can help to work on this.