Math support with katex doesn't work due to installation fail (dependancy on outdated, insecure versions of trim and got)

[soumendra]

Have you read the Contributing Guidelines on issues?

• I have read the Contributing Guidelines on issues.

Prerequisites

• I'm using the latest version of Docusaurus.
• I have tried the npm run clear or yarn clear command.
• I have tried rm -rf node_modules yarn.lock package-lock.json and re-installing packages.
• I have tried creating a repro with https://new.docusaurus.io.
• I have read the console error message carefully (if applicable).

Description

• What I'm trying to do: enable math support
• The guide I'm following: https://docusaurus.io/docs/markdown-features/math-equations (Configuration subsection)
  • Running on Mac M1
• Where I'm stuck: The very first thing the guide suggests is to install necessary packages - npm install --save remark-math@3 rehype-katex@5 [email protected]. Unfortunately, the installation doesn't succeed.
• What seems to be the issue: dependancy on outdated, insecure versions of trim and got
  • GHSA-w5p7-h5w8-2hfq
  • GHSA-pfrx-2q88-qq97

First, I got:

added 10 packages, and audited 1101 packages in 18s

21 vulnerabilities (9 moderate, 12 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

Running npm audit fix, I got:

up to date, audited 1101 packages in 4s

# npm audit report

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install undefined@undefined, which is a breaking change
node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier
        @docusaurus/core  *
        Depends on vulnerable versions of @docusaurus/mdx-loader
        Depends on vulnerable versions of update-notifier
        node_modules/@docusaurus/core
          @docusaurus/plugin-debug  *
          Depends on vulnerable versions of @docusaurus/core
          node_modules/@docusaurus/plugin-debug
          @docusaurus/plugin-google-analytics  *
          Depends on vulnerable versions of @docusaurus/core
          node_modules/@docusaurus/plugin-google-analytics
          @docusaurus/plugin-google-gtag  *
          Depends on vulnerable versions of @docusaurus/core
          node_modules/@docusaurus/plugin-google-gtag
          @docusaurus/plugin-sitemap  *
          Depends on vulnerable versions of @docusaurus/core
          node_modules/@docusaurus/plugin-sitemap
          @docusaurus/preset-classic  *
          Depends on vulnerable versions of @docusaurus/core
          Depends on vulnerable versions of @docusaurus/theme-common
          node_modules/@docusaurus/preset-classic
          @docusaurus/theme-classic  *
          Depends on vulnerable versions of @docusaurus/core
          node_modules/@docusaurus/theme-classic
          @docusaurus/theme-search-algolia  *
          Depends on vulnerable versions of @docusaurus/core
          Depends on vulnerable versions of @docusaurus/plugin-content-docs
          node_modules/@docusaurus/theme-search-algolia

trim  <0.0.3
Severity: high
Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq
fix available via `npm audit fix --force`
Will install undefined@undefined, which is a breaking change
node_modules/trim
  remark-parse  <=8.0.3
  Depends on vulnerable versions of trim
  node_modules/remark-parse
    @mdx-js/mdx  <=1.6.22
    Depends on vulnerable versions of remark-mdx
    Depends on vulnerable versions of remark-parse
    node_modules/@mdx-js/mdx
      @docusaurus/mdx-loader  *
      Depends on vulnerable versions of @mdx-js/mdx
      node_modules/@docusaurus/mdx-loader
        @docusaurus/core  *
        Depends on vulnerable versions of @docusaurus/mdx-loader
        Depends on vulnerable versions of update-notifier
        node_modules/@docusaurus/core
          @docusaurus/plugin-debug  *
          Depends on vulnerable versions of @docusaurus/core
          node_modules/@docusaurus/plugin-debug
          @docusaurus/plugin-google-analytics  *
          Depends on vulnerable versions of @docusaurus/core
          node_modules/@docusaurus/plugin-google-analytics
          @docusaurus/plugin-google-gtag  *
          Depends on vulnerable versions of @docusaurus/core
          node_modules/@docusaurus/plugin-google-gtag
          @docusaurus/plugin-sitemap  *
          Depends on vulnerable versions of @docusaurus/core
          node_modules/@docusaurus/plugin-sitemap
          @docusaurus/preset-classic  *
          Depends on vulnerable versions of @docusaurus/core
          Depends on vulnerable versions of @docusaurus/theme-common
          node_modules/@docusaurus/preset-classic
          @docusaurus/theme-classic  *
          Depends on vulnerable versions of @docusaurus/core
          node_modules/@docusaurus/theme-classic
          @docusaurus/theme-search-algolia  *
          Depends on vulnerable versions of @docusaurus/core
          Depends on vulnerable versions of @docusaurus/plugin-content-docs
          node_modules/@docusaurus/theme-search-algolia
        @docusaurus/plugin-content-blog  *
        Depends on vulnerable versions of @docusaurus/mdx-loader
        node_modules/@docusaurus/plugin-content-blog
        @docusaurus/plugin-content-docs  *
        Depends on vulnerable versions of @docusaurus/mdx-loader
        node_modules/@docusaurus/plugin-content-docs
          @docusaurus/theme-common  *
          Depends on vulnerable versions of @docusaurus/plugin-content-docs
          node_modules/@docusaurus/theme-common
        @docusaurus/plugin-content-pages  *
        Depends on vulnerable versions of @docusaurus/mdx-loader
        node_modules/@docusaurus/plugin-content-pages
    remark-mdx  <=1.6.22
    Depends on vulnerable versions of remark-parse
    node_modules/remark-mdx

21 vulnerabilities (9 moderate, 12 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Running npm audit fix --force, I got:

npm WARN using --force Recommended protections disabled.
npm WARN audit Updating @docusaurus/core to undefined,which is a SemVer major change.
npm ERR! code ETARGET
npm ERR! notarget No matching version found for @docusaurus/core@undefined.
npm ERR! notarget In most cases you or one of your dependencies are requesting
npm ERR! notarget a package version that doesn't exist.

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/soumendra/.npm/_logs/2022-07-07T20_12_03_104Z-debug-0.log

Reproducible demo

No response

Steps to reproduce

1. Create a new scaffold: npx create-docusaurus@latest my-website classic
2. Try to install packages needed for math support: npm install --save remark-math@3 rehype-katex@5 [email protected]
3. Fail!

Expected behavior

Expected the install to complete successfully!

Actual behavior

The Installation failed!

Your environment

• Docusaurus version used: 2.0.0-beta.21
• Environment name and version: Node.js v16.15.0
• Operating system and version: Mac OS Monterey v12.4 on Mac M1

Self-service

• I'd be willing to fix this bug myself.

[Josh-Cena]

Please see #6394 (comment)

The first log you got is not an install failure; merely a warning. Experienced npm users learn to treat it with discretion.