Closed karlhorky closed 6 months ago
What makes this a bit more unusual is that I also don't see the version 0.12.0
in the Tags, nor in the package.json
for @nkzw/remdx
:
Ah, apologies, I was fixing things up as I was preparing for my React Vienna talk. I'll push a fix and the tags once I arrive in Vienna.
Fixed in 0.13.0, but unfortunately I had to add @mdx-js/react
as a dependency now 🫠
Great, thanks! Upgraded now and vulnerability report is gone 👍
Hey @cpojer, hope you're well! 👋
I noticed that the new version
@nkzw/remdx@0.12.0
has a dependency on a very old version ofmdx
("mdx": "^0.3.1"
inpackage.json
)This version of
mdx
has a transitive dependency ontrim-newlines@^1.0.0
(viameow@3.6.0
), which is reported as a security vulnerability by GitHub (GHSA-7p7h-4mm5-852v
), Socket Security extension (see screenshot below), and is also assigned a CVECVE-2021-33623
("Uncontrolled Resource Consumption in trim-newlines")