Dependencies vulnerabilities

[theoludwig]

Hello! 👋
Thanks for this awesome npm package. 😄

After installing next-mdx-remote, I've got 5 high severity vulnerabilities. 😞

Link to the npm advisory : https://www.npmjs.com/advisories/1700

I can't run npm audit fix to fix them, as far as I know this could be fixed by updating @mdx-js/mdx to 2.0.0-next.9, should we upgrade ?

[jescalan]

That is a prerelease, so we're not going to update this yet, since prereleases are generally not considered to be stable. If you'd like to see these patched in a stable version of @mdx-js/mdx I would encourage you to open an issue over there!

[theoludwig]

Right, that makes sense.
I opened an issue in @mdx-js/mdx repo : mdx-js/mdx#1553

[ChristianMurphy]

As noted in remarkjs/remark#710, and in several of the duplicate requests in mdx.
This is not a an exploit, it is a potential slow down. It along with many other performance improvements are availible in more recent releases.

These performance improvements are a part of MDX 2 beta (see mdx-js/mdx#1041) and in the stable release of XDM (https://github.com/wooorm/xdm).

[jescalan]

Shipping a beta or a different library to stable is not in the cards for us, so I'm going to close this issue. Anyone interested is more than welcome to fork and change the core library if they please. We ran a test branch with xdm which can be found here as well 😀

[PurpleBooth]

Is there any plans to resolve this? I like the library, but it damages our ability to automatically audit dependencies, and as such automating the supply chain security if we have to add exceptions.

[jescalan]

No, the response above still stands. You are welcome to try the v2 version if you are ready to upgrade that may resolve some of the issues for you, this will be released soon.

I also recommend this read -- while security is very important, you also need to think critically about whether npm warnings are actually issues for your app, or whether you are just performing security theater, trying to check of a list of things that are not actually problems. Unless you are passing user input into this library, which I don't think is even possible, none of the vulnerabilities listed are actually vulnerabilities.