Open
Description
This is a complicated topic, so I will do my best to summarize all of the issues at play here. Primarily, this is on our radar because dependabot alerted us that sub dependencies reference a vulnerable package of trim. Unfortunately, there is not a clear or easy upgrade path to make this happen. Additionally, it's somewhat debatable whether or not this vulnerability should be considered as high priority as dependabot claims as it's a simple DoS regex. Since this is a presentation library, there's not much Denial of Service things you can do other than mess up your own decks which you can already do anyways ;)
Anyways, to get us off of trim completely, here's what I think we need to do. I might have missed a few things.
upgrade mxs-js
- dependabot warned of an issue within trim
- We don’t directly use trim, but sub dependencies do. All instances of the vulnerable trim version come from
[email protected]- mdx-js/mdx (used in spectacle mdx loader) ⇒ Remark-parse ⇒ trim
- will need to upgrade to v2 to get away from the trim dependency
- new version is ESM and will potentially require some re-work
- Recommended that we release this as a major version upgrade
- docusaurus/core (used for the documentation website) ⇒ remark-parse ⇒ trim
- remark-parse(from package.json within spectacle) ⇒ trim
- This can be fixed relatively easily by going to v9
- The notes make it seem as if this is not a big change ,no changes to the actual api from what I can tell
- mdx-js/mdx (used in spectacle mdx loader) ⇒ Remark-parse ⇒ trim
- to fix the trim issue, mdx-js and remark-parse need major upgrades. Upgrading mdx-js will likely give us access to newer and better markdown parsing, so we would get some benefit from doing that anyways.
relevant docs:
- npm remark-parse v9 info
- github [release notes for remark-* packages](https://github.com/remarkjs/remark/releases/tag/remark-parse%409.0.0) . [Release notes for v13 of remark](https://github.com/remarkjs/remark/releases/tag/13.0.0) (which has v9 of remark-parse)
- [trim vulnerability notes from snyk](https://security.snyk.io/vuln/SNYK-JS-TRIM-1017038)
- [CVE trim vulnerability information](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7753)
- [mdx-js/mdx v1 → v2 conversion guide](https://mdxjs.com/migrating/v2/)
- [mdx-js/mdx release notes / announcement](https://mdxjs.com/blog/v2/)
- [mdx v2.3.0 on npm](https://www.npmjs.com/package/@mdx-js/mdx/v/2.3.0)
output of pnpm why (excluding the dev-dependency docusaurus)
❯ pnpm why trim --filter '!@docusaurus' -P
../packages/create-spectacle | WARN The field "resolutions" was found in /Users/sawyerburnett/git-repos/formidable/spectacle/packages/create-spectacle/package.json. This will not take effect. You should configure "resolutions" at the root of the workspace instead.
No projects matched the filters "@docusaurus" in "/Users/sawyerburnett/git-repos/formidable/spectacle"
Legend: production dependency, optional only, dev only
spectacle-example-js /Users/sawyerburnett/git-repos/formidable/spectacle/examples/js
dependencies:
spectacle link:../../packages/spectacle
└─┬ remark-parse 8.0.3
└── trim 0.0.1
spectacle-example-md /Users/sawyerburnett/git-repos/formidable/spectacle/examples/md
dependencies:
spectacle link:../../packages/spectacle
└─┬ remark-parse 8.0.3
└── trim 0.0.1
spectacle-example-mdx /Users/sawyerburnett/git-repos/formidable/spectacle/examples/mdx
dependencies:
spectacle link:../../packages/spectacle
└─┬ remark-parse 8.0.3
└── trim 0.0.1
spectacle-example-ts /Users/sawyerburnett/git-repos/formidable/spectacle/examples/typescript
dependencies:
spectacle link:../../packages/spectacle
└─┬ remark-parse 8.0.3
└── trim 0.0.1
[email protected] /Users/sawyerburnett/git-repos/formidable/spectacle/packages/spectacle
dependencies:
remark-parse 8.0.3
└── trim 0.0.1
[email protected] /Users/sawyerburnett/git-repos/formidable/spectacle/packages/spectacle-mdx-loader
dependencies:
@mdx-js/mdx 1.6.22
├─┬ remark-mdx 1.6.22
│ └─┬ remark-parse 8.0.3
│ └── trim 0.0.1
└─┬ remark-parse 8.0.3
└── trim 0.0.1
Metadata
Metadata
Assignees
Labels
No labels