alex transitively depends on a library with a security problem

[julienw]

Subject of the issue

Alex depends on remark-parse with version requirements ^v8.0.0. remark-parse v8 depends on trim v0.0.1. trim v0.0.1 has a regexp-related security problem fixed in v0.0.3, but we can't upgrade it manually because of how semver works.

There are 2 ways to fix this:

• upgrade remark-parse to v9, which doesn't depend on trim anymore. We can't upgrade manually either because this is a major upgrade (and they changed the underlying markdown parser, which may lead to bugs in alex, so care is needed when upgrading).
• make remark-parse release a dependency upgrade on the v8 branch.

For more information, here is the advisory for trim: https://github.com/advisories/GHSA-w5p7-h5w8-2hfq

Steps to reproduce

Run yarn audit or npm audit on a project that depends on alex.

Thanks!

[wooorm]

This doesn’t really affect alex, or you: it’s quite hard to use alex is a dangerous way.

You could use patch-package to update trim@0.0.1 to trim@1.0.0, which are otherwise identical.

I’m half way in updating all of unified. I’ll update alex in a couple of months!

[wooorm]

This was solved in https://github.com/get-alex/alex/releases/tag/10.0.0