React-styleguidist: [CVE-2020-7753] Update remark to 13.0.0

Created on 30 Oct 2020  Â·  4Comments  Â·  Source: styleguidist/react-styleguidist

I was tasked with resolving a vulnerability coming from trim package. Dependency chain is as follows: trim <- remark-parse <- remark <- react-styleguidist<- our repo.

remark-parse in version 9.0.0 removes the trim completely, and to have remark-parse in 9.0.0, we need to bump the remark to 13.0.0.

Unfortunately, react-styleguidist fixes the remark to ^11.0.1.

Because of the fact that trim's vulnerable code won't be used anyway in modern browsers, I've managed to reduce the vulnerability from high to low, but it would be better if we could get rid of trim altogether - hence I'm opening an issue on your side.

good first issue help wanted released
Source
picture Wawrzyn321

All 4 comments

Feel free to send a pull request with an update 👾

sapegin picture sapegin on 3 Nov 2020

PR created

poteirard picture poteirard on 5 Nov 2020
🎉1

:tada: This issue has been resolved in version 11.1.2 :tada:

The release is available on:

Your semantic-release bot :package::rocket:

styleguidist-bot picture styleguidist-bot on 10 Nov 2020
🎉1

Thank you guys!

Wawrzyn321 picture Wawrzyn321 on 10 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

vslinko picture vslinko  Â·  3Comments
magicmark picture magicmark  Â·  3Comments
benoitgrasset picture benoitgrasset  Â·  3Comments
XOP picture XOP  Â·  3Comments
dlim-dlim picture dlim-dlim  Â·  4Comments