Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependencies vulnerabilities #1553

Closed
theoludwig opened this issue May 13, 2021 · 3 comments
Closed

Dependencies vulnerabilities #1553

theoludwig opened this issue May 13, 2021 · 3 comments
Labels
👯 no/duplicate Déjà vu 👀 no/external This makes more sense somewhere else

Comments

@theoludwig
Copy link

Hello! 👋
Thanks for this awesome npm package. 😄

After installing next-mdx-remote, I've got 5 high security vulnerabilities, most likely because this package depends to @mdx-js/[email protected].

image

Link to the npm advisory : https://www.npmjs.com/advisories/1700

The vulnerability seems to be fixed in @mdx-js/[email protected], but it is not inside the current stable version (1.6.22), we should backport the remark-parse update from 8.0.3 to 9.0.0 for the stable release.

Your environment

Steps to reproduce

npm install next-mdx-remote

@ChristianMurphy
Copy link
Member

ChristianMurphy commented May 14, 2021

Duplicate of #1548, #1531, and #1458 as noted before this is fixed in MDX 2 beta (see #1041 for more info) and in XDM's stable release.
Also please read the report https://snyk.io/vuln/SNYK-JS-TRIM-1017038, this is not an exploit, it is a potential slow down.

@ChristianMurphy ChristianMurphy added 👯 no/duplicate Déjà vu 👀 no/external This makes more sense somewhere else and removed 🐛 type/bug This is a problem 🙉 open/needs-info This needs some more info labels May 14, 2021
@theoludwig
Copy link
Author

I know that's fixed in MDX 2, but it is not in the current stable release !
Any plan for that or we must upgrade to MSX 2 beta to fix this vulnerability ? @ChristianMurphy

@ChristianMurphy
Copy link
Member

ChristianMurphy commented May 14, 2021

Upgrade,
This has been discussed at length in the previous issues, to repeat it here:

  1. It isn't a vulnerability, as it doesn't meaningfully impact mdx
  2. It isn't coming from mdx, it's coming from remark
  3. remark, mdx, and xdm have improved performance to address this in the latest major versions, along with other improvements
  4. If the version number is the main issue, consider XDM which has this change on a stable release

anomiex added a commit to Automattic/jetpack that referenced this issue Aug 31, 2021
`@storybook/csf-tools` depends on `@mdx-js/mdx`, which is [refusing to
fix the old dep in its 1.x branch][1] and hasn't released 2.0 yet.

[1]: mdx-js/mdx#1553
anomiex added a commit to Automattic/jetpack that referenced this issue Sep 1, 2021
Clean up JS dependencies, mainly those complained about by `pnpm audit`.

* Remove unneeded pnpm.overrides.
  
  * `@automattic/calypso-build` no longer depends on `node-sass`.
  * Nothing we depend on depends on `terser-webpack-plugin` 2.3.1 anymore.
  
  And fix syntax for a few others. Looks like pnpm 6.10.2 broke the syntax
  we were using before.

* Update browserslist.
  
  Add an override for `react-dev-utils` which unnecessarily depends on a
  specific version instead of allowing updates.

* Update cheerio.
  
  New version fixes dep on vulnerable `css-what`.

* Update tar.

* Update postcss.
  
  Only the 7.0.35 deps needed updating for vulnerabilities, but may as
  well do the 8.2.15 too.

* Update path-parse.

* Add override for [email protected].
  
  `@storybook/csf-tools` depends on `@mdx-js/mdx`, which is [refusing to
  fix the old dep in its 1.x branch][1] and hasn't released 2.0 yet.

* Upgrade copy-webpack-plugin.
  
  Depends on a vulnerable version of glob-parent.

* Update glob-parent where we can.
  
  Unfortunately we can't do them all.
  
  * storybook still has some deps. One they [removed in "next"][2].
    Another is still there. Plus it has some webpack 4 deps it seemingly
    doesn't actually use.
  * `gulp` devs [actively refuse to update dependencies][3] when they
    believe they're not hitting the vulnerability, apparently as protest
    against `npm audit` which they consider "broken".
  
[1]: mdx-js/mdx#1553
[2]: storybookjs/storybook#15174
[3]: gulpjs/glob-stream#108
matticbot pushed a commit to Automattic/jetpack-production that referenced this issue Sep 1, 2021
Clean up JS dependencies, mainly those complained about by `pnpm audit`.

* Remove unneeded pnpm.overrides.

  * `@automattic/calypso-build` no longer depends on `node-sass`.
  * Nothing we depend on depends on `terser-webpack-plugin` 2.3.1 anymore.

  And fix syntax for a few others. Looks like pnpm 6.10.2 broke the syntax
  we were using before.

* Update browserslist.

  Add an override for `react-dev-utils` which unnecessarily depends on a
  specific version instead of allowing updates.

* Update cheerio.

  New version fixes dep on vulnerable `css-what`.

* Update tar.

* Update postcss.

  Only the 7.0.35 deps needed updating for vulnerabilities, but may as
  well do the 8.2.15 too.

* Update path-parse.

* Add override for [email protected].

  `@storybook/csf-tools` depends on `@mdx-js/mdx`, which is [refusing to
  fix the old dep in its 1.x branch][1] and hasn't released 2.0 yet.

* Upgrade copy-webpack-plugin.

  Depends on a vulnerable version of glob-parent.

* Update glob-parent where we can.

  Unfortunately we can't do them all.

  * storybook still has some deps. One they [removed in "next"][2].
    Another is still there. Plus it has some webpack 4 deps it seemingly
    doesn't actually use.
  * `gulp` devs [actively refuse to update dependencies][3] when they
    believe they're not hitting the vulnerability, apparently as protest
    against `npm audit` which they consider "broken".

[1]: mdx-js/mdx#1553
[2]: storybookjs/storybook#15174
[3]: gulpjs/glob-stream#108

Committed via a GitHub action: https://github.com/Automattic/jetpack/actions/runs/1190571780
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
👯 no/duplicate Déjà vu 👀 no/external This makes more sense somewhere else
Development

No branches or pull requests

2 participants