search

storybookjs / mdx1-csf

MDX to CSF compiler using MDXv1
MIT License
4 stars 12 forks source link

Upgrade @mdx-js/mdx to v2 [critical security issue] #11

Closed Tobi-mmt closed 2 years ago

Tobi-mmt commented 2 years ago

Describe the bug This project has a critical security issue.

It is currently using @mdx-js/mdx in version 1.x which uses remark-parse which uses an insecure trim version. E.g. updating to @mdx-js/mdx version 2.x will fix that security issue.

To Reproduce Steps to reproduce the behavior:

  1. create new Project with npm init
  2. Add the package npm install --save @storybook/mdx1-csf
  3. Check for security issues npm audit
  4. See high security issue

Expected behavior No security issues in @storybook/mdx1-csf

Screenshots issue

DamienCassou commented 2 years ago

This is an issue for me as well.

shilman commented 2 years ago

This library is about interfacing with MDX1. For MDX2 there is a separate library https://github.com/storybookjs/mdx2-csf

Storybook itself will be upgrading to MDX2 in 7.0 (breaking change) which will fix the security audit.

Closing this for now.