Skip to content

Vulnerability in transient dependency (CVE-2025-32014) #10576

New issue
New issue
Open
#10579
Open
Vulnerability in transient dependency (CVE-2025-32014)#10576
#10579
Labels
package:dev
@Evanion

Description

@Evanion
Evanion
opened on Apr 9, 2025

Reproduction

n/a

System Info

n/a

Used Package Manager

npm

Expected Behavior

n/a

Actual Behavior

@remix-run/dev depends on an old (3.5 y) version of remark-mdx-frontmatter (^1.0.1)
that in turn relies on a vulnerable version of estree-util-value-to-estree.

Current version of remark-mdx-frontmatter is 5.1.0, that relies on [email protected].
to really fix the vulnerability you need to upgrade to 3.3.3, but since it's not a major version bump, it should be possible to override, once the mdx package is up to date

Metadata

Metadata

Assignees

No one assigned

    Labels

    package:dev

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions