[6 High Vuln] Bump to [email protected]

[codejedi365]

Subject of the issue

Installation creates 6 high vulnerabilities within the project scope which can be avoided since there is a patched solution.

Problem

The derived dependency on trim@<=0.0.3 which has a high severity vulnerability specifically Regular Expression Denial of Service. This package is relied upon by [email protected] which is what eslint-plugin-mdx package uses in src/rules/helpers.ts.

This problem cannot be auto-fixed due to the semver major change within remark-parse and for trim itself. NPM will not resolve it without developer intervention. Do not be fooled by npm being able to "fix". It will not actually work since it tries to resolve by downgrading to [email protected] instead and then further downgrades but still all rely on trim or have other vulnerabilities.

Solution

Major version bump of remark-parse to v9.0.0. In [email protected], the author removed the dependency on trim completely and moved to a separate utility suite for markdown specifically which has 0 known/reported vulnerabilities at this time.

CAVEAT: This will only resolve 2 of the 6 listed vulnerabilities from npm audit until the eslint-plugin-markdown#188 pull request is resolved. eslint-plugin-mdx uses eslint-plugin-markdown as a dependency which is why the vulnerability listing will still have 4 remaining. If the resolution version ends up being a major version change for eslint-plugin-markdown then this repository will need to be updated too. A minor semver change will require users to run npm audit --fix --force after installation but if it is only an update then npm should update automatically for new users or manually through npm audit --fix for previous users.

Your environment

• OS: Mac OS Big Sur (v11.3.1)
• Packages: eslint-plugin-mdx
• Env: node v14.16.1, npm 7.13.0

Steps to reproduce

1. In a npm initialized project, runnpm install eslint-plugin-mdx which installs v1.13.0 from npmjs.com
   npm install runs npm audit by default but produces limited report.
2. Run npm audit
3. To better understand where these are coming from, run npm list trim to see the packages that state trim@<=0.0.3 as a dependency.

Expected behaviour

What should happen? npm audit resolves to "0 vulnerabilities".

OR

until the caveat is resolved at least down to 4 vulnerabilities listed. With the bump 2 should be resolved. NPM@7 uses [email protected] which counts one metaVulnerability for each library which depends on a vulnerable package.

Actual behaviour

What happens instead? npm audit spits out "6 high severity vulnerabilities" upon audit.

[JounQin]

[email protected] is BREAKING CHANGE, its support is part of eslint-mdx@2 which is not available yet.

duplicate of mdx-js/mdx#1458, mdx-js/mdx#1531, mdx-js/mdx#1548, mdx-js/mdx#1553

[JounQin]

I don't know how to resolve it in npm, but for yarn, you can just try the following for now:

// package.json
{
  "resolutions": {
    "trim": "^1.0.1"
  }
}