doug-wade
commented
7 months ago I started to take a look at this, and I found that we have to upgrade the entire unified ecosystem. It seems that there was may have been a change in the types that the compiler returned by unified accepts that I can't find in the release notes. In particular, after following the prescribed upgrade steps (see commits above), I'm getting
src/components/markdown/markdown.tsx(193,59): error TS2345: Argument of type 'Parent<Node<Data>, Data>' is not assignable to parameter of type 'Root'.
Types of property 'type' are incompatible.
Type 'string' is not assignable to type '"root"'.`I'll keep poking around, but I thought I'd post partial progress in case anyone has an idea on how to resolve this.
Prerequisites
Describe Your Environment
What version of Spectacle are you using? (can be found by running
npm list --depth 0 spectacle)10.1.4
What version of React are you using? (can be found by running
npm list --depth 0 react)18.2.0
What browser are you using? (e.g., Chrome 105.0.5195.102, Safari 16.0)
Safari Version 16.4 (18615.1.26.11.23)
What platform are you on? (e.g., Windows, macOS, iOS, Android)
macOS
Describe the Problem
npm add spectacle.Expected behavior: [What you expect to happen]
I expect Dependabot to generate zero security alerts.
Actual behavior: [What actually happens]
Dependabot generates alert regarding Regular Expression Denial of Service in trim. The advisory is detailed here: https://github.com/advisories/GHSA-w5p7-h5w8-2hfq
Additional Information
Seems like version 8.0.3 of
remark-parseis the package that depends on the vulnerable 0.0.1 version oftrim. Starting from version 9.0.0,remark-parsedoes not seem to depend ontrimanymore.Therefore the issue may be resolved by updating
remark-parse. I can help to work on this.