Update `hast-util-to-mdast`

[rakleed]

Initial checklist

• I read the support docs
• I read the contributing guide
• I agree to follow the code of conduct
• I searched issues and discussions and couldn’t find anything (or linked relevant results below)

Problem

A security concern was recently flagged for hast-util-to-mdast package.

Detail	Value
Severity	moderate
Description	mdast-util-to-hast has unsanitized class attribute
Package	hast-util-to-mdast
Vulnerable versions	>=13.0.0, <13.2.1
Patched versions	>=13.2.1
Paths	.>remarkjs>hast-util-to-mdast
More info	GHSA-4fh9-h7wg-q85m

Current solutions

npm audit fix

Proposed solutions

Update mdast-util-to-hast to ^13.2.1.

[remcohaszing]

Changing ^13.0.0 to ^13.2.1 isn’t an update. It just narrows the version range. ^13.2.1 is the uppormost subset of ^13.0.0, so your package manager should resolve to the same version in both cases. No changes are needed.

[github-actions]

Hi! This was closed. Team: If this was fixed, please add phase/solved. Otherwise, please add one of the no/* labels.

[Xinran-Ma]

may I ask if there's an estimated date/time to publish this change?

[wooorm]

depends, when you run npm install, you will have it, no change is needed here

[arnlaugsson]

Changing ^13.0.0 to ^13.2.1 isn’t an update. It just narrows the version range. ^13.2.1 is the uppermost subset of ^13.0.0, so your package manager should resolve to the same version in both cases. No changes are needed.

So for now, I am forced to do this in my package.json

"pnpm": {
    "overrides": {
        "mdast-util-to-hast": ">=13.2.1"
    }
},

It works, but it would be nicer to update the react-markdown dependency.

[remcohaszing]

You don’t have to specify anything in your package.json. In fact, you should never use overrides. You can update by deleting entries from your lockfile, running npm update, or deleting your node_modules and lockfile and running npm install.

I don’t know the pnpm equivalents, but I imagine they have them.