"Regular Expression Denial of Service in trim" alert generated by Dependabot about Spectacle repository
hwaien opened this issue · 1 comments
Prerequisites
- I have searched the open issues to make sure I'm not opening a duplicate issue
- I have read through the docs before asking a question
- I am using the latest version of Spectacle
Describe Your Environment
What version of Spectacle are you using? (can be found by running npm list --depth 0 spectacle)
10.1.4
What version of React are you using? (can be found by running npm list --depth 0 react)
18.2.0
What browser are you using? (e.g., Chrome 105.0.5195.102, Safari 16.0)
Safari Version 16.4 (18615.1.26.11.23)
What platform are you on? (e.g., Windows, macOS, iOS, Android)
macOS
Describe the Problem
- Install Spectacle by running
npm add spectacle. - Push code to GitHub.
- Enable GitHub Dependabot alerts.
Expected behavior: [What you expect to happen]
I expect Dependabot to generate zero security alerts.
Actual behavior: [What actually happens]
Dependabot generates alert regarding Regular Expression Denial of Service in trim. The advisory is detailed here: GHSA-w5p7-h5w8-2hfq
Additional Information
Seems like version 8.0.3 of remark-parse is the package that depends on the vulnerable 0.0.1 version of trim. Starting from version 9.0.0, remark-parse does not seem to depend on trim anymore.
Therefore the issue may be resolved by updating remark-parse. I can help to work on this.
I started to take a look at this, and I found that we have to upgrade the entire unified ecosystem. It seems that there was may have been a change in the types that the compiler returned by unified accepts that I can't find in the release notes. In particular, after following the prescribed upgrade steps (see commits above), I'm getting
src/components/markdown/markdown.tsx(193,59): error TS2345: Argument of type 'Parent<Node<Data>, Data>' is not assignable to parameter of type 'Root'.
Types of property 'type' are incompatible.
Type 'string' is not assignable to type '"root"'.`I'll keep poking around, but I thought I'd post partial progress in case anyone has an idea on how to resolve this.