Support katex 0.16.10 to remediate security vulnerability raised by npm audit

mikethea1 commented 3 months ago

First off, thank you for creating and maintaining this great library!

We've been using react-latext-next 2.3, but recently npm audit started complaining about a vulnerability affecting katex 0.10.0-beta - 0.16.9:

katex  0.10.0-beta - 0.16.9
Severity: moderate
KaTeX missing normalization of the protocol in URLs allows bypassing forbidden protocols - https://github.com/advisories/GHSA-3wc5-fcw2-2329
KaTeX's `\includegraphics` does not escape filename - https://github.com/advisories/GHSA-f98w-7cxr-ff2h
KaTeX's maxExpand bypassed by `\edef` - https://github.com/advisories/GHSA-64fm-8hw2-v72w
fix available via `npm audit fix --force`
Will install react-latex-next@1.4.0, which is a breaking change
node_modules/katex
  react-latex-next  >=1.5.0
  Depends on vulnerable versions of katex
  node_modules/react-latex-next

I noticed that katex recently released an updated version 0.16.10 which is not reported as vulnerable. However, react-latex-next's dependency range for katex is ^0.13.0 which only allows 0.13.x versions due to the leading zero.

Would it be possible to release a new version compatible with katex 0.16.x? Thanks!

harunurhan commented 2 months ago

Released changes of #55 as 3.0.0

mikethea1 commented 1 month ago

@harunurhan just wanted to say thank you for taking this on. We're successfully using the updated version :-)

harunurhan / react-latex-next

Support katex 0.16.10 to remediate security vulnerability raised by npm audit #54