snyk.io reports a DoS vulnerability through remark's dependency

[stof]

This package currently depends on remark-parse 8.x, which itself depends on trim 0.0.1 which is vulnerable to a regexp DoS.

Remark 9+ has been rewritten and does not depend on this trim package anymore. It would probably make sense to upgrade mdx to use the latest version of Remark (though that might not be easy as the BC breaks in 9.0 might be quite big).

[wschaef]

The vulnerability has severity HIGH. Any progress on this issue?

[stof]

Looks like #1367 has already done the upgrade work for the next branch. So this is more about an ETA for the release of this next version.

[johno]

We're working towards releasing v2 in the near future. We'll let you know when that happens.

FWIW, this is only a vulnerability if you're processing user input with MDX (though we know this is something that folks are doing).

[johno]

I'm going to close this now since it's addressed in the next branch. Thank you for reporting!

[DigiBanks99]

This is an incredibly long time to resolve a High vulnerability.

[ChristianMurphy]

This has been explained a few times, copying the explanation here too https://github.com/mdx-js/mdx/issues?q=is%3Aissue+trim+is%3Aclosed+vulnerable

1. This is not an exploit, it is a potential slow down. remark-parse 9, react-markdown 6, and mdx 2/xdm address this, and provide other performance improvements.
   https://overreacted.io/npm-audit-broken-by-design provides some additional insights into why npm audit and snyk, while useful, can also be broken for packages like react and mdx, flagging non-issues.
2. MDX version 1 cannot be patched (less strict version dependecy for "remark-parse" #1548 (comment))
3. MDX version 2 available as a release candidate and will be generally available soon.