Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update remark-parse dependency #186

Closed
bicrypt opened this issue May 11, 2021 · 2 comments
Closed

Update remark-parse dependency #186

bicrypt opened this issue May 11, 2021 · 2 comments
Assignees
@btmills
Labels
accepted upgrade
Projects
Triage

Comments

@bicrypt
Copy link

bicrypt commented May 11, 2021

The currently installed version of remark-parse uses a version of "trim" that is marked "high severity" by npm!

https://www.npmjs.com/advisories/1700

The latest version of remark-parse does not depend on this dangerous dependency.

Thanks in advance!
@eslint-github-bot eslint-github-bot bot added this to Needs Triage in Triage May 11, 2021
@dominikg
Copy link

may not be easy to do, see #171 (comment) and #175

@etimberg etimberg mentioned this issue May 14, 2021
Closed
@btmills btmills moved this from Needs Triage to Ready to Implement in Triage May 16, 2021
@btmills btmills self-assigned this May 16, 2021
@btmills
Copy link
Member

btmills commented May 16, 2021

Upgrading to mdast-util-from-markdown might not be quite as difficult as originally feared. I have a prototype implementation that actually uncovered two incorrect assertions in the existing tests! I'll need to do more testing to be confident enough to submit a PR, but early signs are encouraging.

btmills added a commit that referenced this issue May 20, 2021
@btmills
Update: Replace Markdown parser (fixes #125, fixes #186)
d4d02ca 
The previous parser, `remark-parse` v7, included a transitive dependency
on an npm package with a security vulnerability. Newer versions of
`remark-parse` are wrappers around a new underlying parser,
`mdast-util-from-markdown`, so we can use that directly.

The previous parser also failed to preserve `\r\n` line endings,
replacing them all with `\n`. The new parser correctly preserves `\r\n`
line endings, finally providing a fix for the failing test case I
cherry-picked in the previous commit. The improved behavior also
uncovered an incorrect line ending test assertion that this commit
corrects.

While this change is in theory fully compatible, containing just bug
fixes, I'm tagging it `Update:` in case there are compatibility changes
in the new parser. This is consistent with #175, which upgraded
`remark-parse` v5 to v7 in a semver-minor `Update:` change.
@btmills btmills mentioned this issue May 20, 2021
Merged
@btmills btmills moved this from Ready to Implement to Pull Request Opened in Triage May 20, 2021
Triage automation moved this from Pull Request Opened to Complete May 26, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@btmills btmills

Labels
accepted upgrade
Projects
Triage
Archived in project
Triage
Complete
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dominikg @btmills @bicrypt