markdown
markdown copied to clipboard
Published
20 hours ago •
readmeio
readmeio
SECURITY: High Severity Vulnerability
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service in trim │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ trim │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.0.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @readme/markdown │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @readme/markdown > remark-parse > trim │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1700 │
└───────────────┴──────────────────────────────────────────────────────────────┘
What's the latest on updating / removing the dependency on the current version of remark-parse, and therefore the old trim?
We're still planning on updating remark past v7.0.2, but we still haven't set a timeline yet. We'll hoping to get to it in the next few months, but we're still not clear on how much of a rewrite it'll be.
