Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Regular Expression Denial of Service in trim" alert generated by Dependabot about Spectacle repository #1281

Open
3 tasks done
hwaien opened this issue May 29, 2023 · 1 comment
Open
3 tasks done

"Regular Expression Denial of Service in trim" alert generated by Dependabot about Spectacle repository #1281

hwaien opened this issue May 29, 2023 · 1 comment
Labels
🤖 Dependencies Pull requests that update a dependency file

Comments

@hwaien
Copy link

hwaien commented May 29, 2023

Prerequisites

  • I have searched the open issues to make sure I'm not opening a duplicate issue
  • I have read through the docs before asking a question
  • I am using the latest version of Spectacle

Describe Your Environment

What version of Spectacle are you using? (can be found by running npm list --depth 0 spectacle)

10.1.4

What version of React are you using? (can be found by running npm list --depth 0 react)

18.2.0

What browser are you using? (e.g., Chrome 105.0.5195.102, Safari 16.0)

Safari Version 16.4 (18615.1.26.11.23)

What platform are you on? (e.g., Windows, macOS, iOS, Android)

macOS

Describe the Problem

  1. Install Spectacle by running npm add spectacle.
  2. Push code to GitHub.
  3. Enable GitHub Dependabot alerts.

Expected behavior: [What you expect to happen]

I expect Dependabot to generate zero security alerts.

Actual behavior: [What actually happens]

Dependabot generates alert regarding Regular Expression Denial of Service in trim. The advisory is detailed here: GHSA-w5p7-h5w8-2hfq

Additional Information

Seems like version 8.0.3 of remark-parse is the package that depends on the vulnerable 0.0.1 version of trim. Starting from version 9.0.0, remark-parse does not seem to depend on trim anymore.

Therefore the issue may be resolved by updating remark-parse. I can help to work on this.
@carbonrobot carbonrobot added the 🤖 Dependencies Pull requests that update a dependency file label Oct 31, 2023
doug-wade added a commit to doug-wade/spectacle that referenced this issue Feb 11, 2024
@doug-wade
fix(FormidableLabs#1281): Upgrade unified and ecosystem to resolve se…
4a33c01 
…curity vulnerability
doug-wade added a commit to doug-wade/spectacle that referenced this issue Feb 11, 2024
@doug-wade
fix(FormidableLabs#1281): Upgrade unified and ecosystem to resolve se…
85659d3 
…curity vulnerability
@doug-wade
Copy link

doug-wade commented Feb 11, 2024
edited
Loading

I started to take a look at this, and I found that we have to upgrade the entire unified ecosystem. It seems that there was may have been a change in the types that the compiler returned by unified accepts that I can't find in the release notes. In particular, after following the prescribed upgrade steps (see commits above), I'm getting

src/components/markdown/markdown.tsx(193,59): error TS2345: Argument of type 'Parent<Node<Data>, Data>' is not assignable to parameter of type 'Root'.
  Types of property 'type' are incompatible.
    Type 'string' is not assignable to type '"root"'.`

I'll keep poking around, but I thought I'd post partial progress in case anyone has an idea on how to resolve this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🤖 Dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@carbonrobot @hwaien @doug-wade