-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependencies vulnerabilities #1553
Comments
Duplicate of #1548, #1531, and #1458 as noted before this is fixed in MDX 2 beta (see #1041 for more info) and in XDM's stable release. |
I know that's fixed in MDX 2, but it is not in the current stable release ! |
Upgrade,
|
`@storybook/csf-tools` depends on `@mdx-js/mdx`, which is [refusing to fix the old dep in its 1.x branch][1] and hasn't released 2.0 yet. [1]: mdx-js/mdx#1553
Clean up JS dependencies, mainly those complained about by `pnpm audit`. * Remove unneeded pnpm.overrides. * `@automattic/calypso-build` no longer depends on `node-sass`. * Nothing we depend on depends on `terser-webpack-plugin` 2.3.1 anymore. And fix syntax for a few others. Looks like pnpm 6.10.2 broke the syntax we were using before. * Update browserslist. Add an override for `react-dev-utils` which unnecessarily depends on a specific version instead of allowing updates. * Update cheerio. New version fixes dep on vulnerable `css-what`. * Update tar. * Update postcss. Only the 7.0.35 deps needed updating for vulnerabilities, but may as well do the 8.2.15 too. * Update path-parse. * Add override for trim@0.0.1. `@storybook/csf-tools` depends on `@mdx-js/mdx`, which is [refusing to fix the old dep in its 1.x branch][1] and hasn't released 2.0 yet. * Upgrade copy-webpack-plugin. Depends on a vulnerable version of glob-parent. * Update glob-parent where we can. Unfortunately we can't do them all. * storybook still has some deps. One they [removed in "next"][2]. Another is still there. Plus it has some webpack 4 deps it seemingly doesn't actually use. * `gulp` devs [actively refuse to update dependencies][3] when they believe they're not hitting the vulnerability, apparently as protest against `npm audit` which they consider "broken". [1]: mdx-js/mdx#1553 [2]: storybookjs/storybook#15174 [3]: gulpjs/glob-stream#108
Clean up JS dependencies, mainly those complained about by `pnpm audit`. * Remove unneeded pnpm.overrides. * `@automattic/calypso-build` no longer depends on `node-sass`. * Nothing we depend on depends on `terser-webpack-plugin` 2.3.1 anymore. And fix syntax for a few others. Looks like pnpm 6.10.2 broke the syntax we were using before. * Update browserslist. Add an override for `react-dev-utils` which unnecessarily depends on a specific version instead of allowing updates. * Update cheerio. New version fixes dep on vulnerable `css-what`. * Update tar. * Update postcss. Only the 7.0.35 deps needed updating for vulnerabilities, but may as well do the 8.2.15 too. * Update path-parse. * Add override for trim@0.0.1. `@storybook/csf-tools` depends on `@mdx-js/mdx`, which is [refusing to fix the old dep in its 1.x branch][1] and hasn't released 2.0 yet. * Upgrade copy-webpack-plugin. Depends on a vulnerable version of glob-parent. * Update glob-parent where we can. Unfortunately we can't do them all. * storybook still has some deps. One they [removed in "next"][2]. Another is still there. Plus it has some webpack 4 deps it seemingly doesn't actually use. * `gulp` devs [actively refuse to update dependencies][3] when they believe they're not hitting the vulnerability, apparently as protest against `npm audit` which they consider "broken". [1]: mdx-js/mdx#1553 [2]: storybookjs/storybook#15174 [3]: gulpjs/glob-stream#108 Committed via a GitHub action: https://github.com/Automattic/jetpack/actions/runs/1190571780
Hello! 👋
Thanks for this awesome npm package. 😄
After installing next-mdx-remote, I've got 5 high security vulnerabilities, most likely because this package depends to
@mdx-js/mdx@1.6.22
.Link to the npm advisory : https://www.npmjs.com/advisories/1700
The vulnerability seems to be fixed in
@mdx-js/mdx@2.0.0-next.9
, but it is not inside the current stable version (1.6.22
), we should backport theremark-parse
update from8.0.3
to9.0.0
for the stable release.Your environment
@mdx-js/mdx
npm@7.12.1
Steps to reproduce
npm install next-mdx-remote
The text was updated successfully, but these errors were encountered: