Vulnerable Library Dependency #4015
-
|
Hello, I performed a Whitesource scan of the following: I noticed that you are utilizing trim-0.0.1 in the following dependency hierarchy: preset-classic-2.0.0-alpha.70.tgz
Could trim be updated to its most up-to-date version? trim-1.1.0? Or is this something out of the purview and something I should manage on my own. Thank you. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 6 replies
-
|
It looks like mdx hasn't updated remark if I'm not mistaken, so it may just be that we are waiting on downstream. Either way, remark-parse is only used in development, so you most likely won't have the security issue in production. |
Beta Was this translation helpful? Give feedback.
-
|
@jasonchavez520 we will upgrade to MDX 2 sooner or later, I'm in touch with Titus about this upgrade. |
Beta Was this translation helpful? Give feedback.
-
|
Is there an estimated timeline as to when this would occur? It can be a ballpark estimate...I'm just trying to gauge my options. Thanks! |
Beta Was this translation helpful? Give feedback.
-
|
@jasonchavez520 maybe in the next 2 months. As far as I understand, the issue is https://snyk.io/vuln/SNYK-JS-TRIM-1017038 I don't think you have much reason to worry about. |
Beta Was this translation helpful? Give feedback.
-
|
Not feeling particularly vulnerable. It's just an enterprise requirement has been rolled out to remediate nested libraries that are vulnerable. |
Beta Was this translation helpful? Give feedback.
-
|
@jasonchavez520 you can probably force upgrade to 0.0.3 by using the yarn resolutions: https://classic.yarnpkg.com/en/docs/selective-version-resolutions/#toc-how-to-use-it |
Beta Was this translation helpful? Give feedback.
It looks like mdx hasn't updated remark if I'm not mistaken, so it may just be that we are waiting on downstream.
Either way, remark-parse is only used in development, so you most likely won't have the security issue in production.