Closed Burnett2k closed 3 months ago
I was able to get 2 PRs ready to go for this today. Unfortunately, most of the security updates are dependencies of dependencies, so it's not very straightforward to fix. The two remaining high vulnerabilities are:
We're now down to only a single vulnerability! I'll take a look at trim again to see if there's a path forward, but I found another github thread which makes it seem the only want to fix it is to do a major upgrade of remark and fix the breaking changes :(
I did a quick skim and I'm not sure there's a first class way to upgrade only sub-deps in PNPM. You could do this pretty straightforward with a package hook here: https://pnpm.io/pnpmfile -- but would add complexity and seems overkill for us here. A regexp DOS vulnerability seems really low impact likely for a presentation deck project....
@ryan-roemer I agree it's probably not worth the effort to make a bunch of code changes for that vulnerability. Was just trying to clear up all the critical and sev warnings as part of the OSS audit bench task I've been assigned to.
The remaining trim vulnerability and upgrades of spectacle packages will be handled under another issue https://github.com/orgs/FormidableLabs/projects/43/views/1?pane=issue&itemId=56373115#
https://github.com/FormidableLabs/spectacle/security/dependabot?q=is%3Aopen+severity%3Acritical%2Chigh