@nkzw/remdx@0.12.0: Very old mdx dependency with vuln from transitive dep trim-newlines

nkzw-tech / remdx

Beautiful Minimalist React & MDX Presentations

MIT License

302 stars 9 forks source link

@nkzw/remdx@0.12.0: Very old mdx dependency with vuln from transitive dep trim-newlines #20

Closed karlhorky closed 6 months ago

karlhorky commented 6 months ago

Hey @cpojer, hope you're well! 👋

I noticed that the new version @nkzw/remdx@0.12.0 has a dependency on a very old version of mdx ("mdx": "^0.3.1" in package.json)

This version of mdx has a transitive dependency on trim-newlines@^1.0.0 (via meow@3.6.0), which is reported as a security vulnerability by GitHub (GHSA-7p7h-4mm5-852v), Socket Security extension (see screenshot below), and is also assigned a CVE CVE-2021-33623 ("Uncontrolled Resource Consumption in trim-newlines")

Screenshot 2024-03-20 at 11 28 54

Screenshot 2024-03-20 at 11 27 43

karlhorky commented 6 months ago

What makes this a bit more unusual is that I also don't see the version 0.12.0 in the Tags, nor in the package.json for @nkzw/remdx:

https://github.com/nkzw-tech/remdx/blob/fa5802d3910c466d7e71df3d72b6d7f0ab3d259f/packages/remdx/package.json#L1-L4

cpojer commented 6 months ago

Ah, apologies, I was fixing things up as I was preparing for my React Vienna talk. I'll push a fix and the tags once I arrive in Vienna.

cpojer commented 6 months ago

Fixed in 0.13.0, but unfortunately I had to add @mdx-js/react as a dependency now 🫠

karlhorky commented 6 months ago

Great, thanks! Upgraded now and vulnerability report is gone 👍