(dependencies) Update @mdx-js/mdx once a stable new version is released in csf-tools #17137
Labels
Comments
|
A new version of mdx has been released, https://github.com/mdx-js/mdx/releases/tag/2.0.0 This contains the fix for the trim vulnerability |
|
Filed mdx-js/mdx#1945 |
|
Yee-haw!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.5.0-alpha.43 containing PR #17515 that references this issue. Upgrade today to the Closing this issue. Please re-open if you think there's still more to do. |
|
Short migration guide here https://gist.github.com/shilman/6ff2d7e18db8846e8fc552fb432ae4f6 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
and others
Describe the bug
The library currently used in @storybook/csf-tools v6.4.9 uses @mdx-js/mdx ^1.6.22. This version of mdx ultimately uses version 0.0.1 of the trim dependency which has a vulnerability (when using npm at least).
Right now the transitive path is
Remark-parse stops using trim in version 9.0.0. mdx-js updates to 9.0.0 in this commit. However, the only versions of mdx-js that have been released since this update are release candidates and not a stable version.
When @mdx-js/mdx releases a stable new version, @storybook/csf-tools should upgrade to avoid having the transitive trim vulnerability
To Reproduce
Run
npm ls trimon a project using @storybook/csf-toolsSystem
Please paste the results of
npx sb@next infohere.Additional context
:)
The text was updated successfully, but these errors were encountered: