@nkzw/remdx@0.12.0: Very old mdx dependency with vuln from transitive dep trim-newlines
karlhorky opened this issue Β· comments
Hey @cpojer, hope you're well! π
I noticed that the new version @nkzw/remdx@0.12.0 has a dependency on a very old version of mdx ("mdx": "^0.3.1" in package.json)
This version of mdx has a transitive dependency on trim-newlines@^1.0.0 (via meow@3.6.0), which is reported as a security vulnerability by GitHub (GHSA-7p7h-4mm5-852v), Socket Security extension (see screenshot below), and is also assigned a CVE CVE-2021-33623 ("Uncontrolled Resource Consumption in trim-newlines")
What makes this a bit more unusual is that I also don't see the version 0.12.0 in the Tags, nor in the package.json for @nkzw/remdx:
remdx/packages/remdx/package.json
Lines 1 to 4 in fa5802d
Ah, apologies, I was fixing things up as I was preparing for my React Vienna talk. I'll push a fix and the tags once I arrive in Vienna.
Fixed in 0.13.0, but unfortunately I had to add @mdx-js/react as a dependency now π«
Great, thanks! Upgraded now and vulnerability report is gone π