Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Find alternative to mdx-loader #6851

Closed
1 of 2 tasks
peterkappelt opened this issue Mar 5, 2022 · 1 comment
Closed
1 of 2 tasks

Find alternative to mdx-loader #6851

peterkappelt opened this issue Mar 5, 2022 · 1 comment
Labels
closed: duplicate This issue or pull request already exists in another issue or pull request proposal This issue is a proposal, usually non-trivial change

Comments

@peterkappelt
Copy link

Have you read the Contributing Guidelines on issues?

Motivation

Hey guys,

docusaurus currently depends on mdx-loader (from https://github.com/frontarm/mdx-util) which seems to be abandoned (no commit for 3-odd years).

Becaus of that, docusaurus currently includes trim in version 0.0.1 which is prone to a High-severity CVE: GHSA-w5p7-h5w8-2hfq

$ yarn why trim
yarn why v1.22.17
[1/4] Why do we have the module "trim"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "trim@0.0.1"
info Reasons this module exists
   - "@docusaurus#core#@docusaurus#mdx-loader#@mdx-js#mdx#remark-parse" depends on it
   - Hoisted from "@docusaurus#core#@docusaurus#mdx-loader#@mdx-js#mdx#remark-parse#trim"
info Disk size without dependencies: "28KB"
info Disk size with unique dependencies: "28KB"
info Disk size with transitive dependencies: "28KB"
info Number of shared dependencies: 0

I'd suggest looking for an alternative webpack loader, I know that there is a webpack loader provided by @mdx-js directly (https://mdxjs.com/packages/loader/), which should definitely be prefered IMHO. Not sure though how much effort the change causes...

Cheers!

Self-service

  • I'd be willing to do some initial work on this proposal myself.
@peterkappelt peterkappelt added proposal This issue is a proposal, usually non-trivial change status: needs triage This issue has not been triaged by maintainers labels Mar 5, 2022
@Josh-Cena
Copy link
Collaborator

Hi, I'm not sure what you mean.

docusaurus currently depends on mdx-loader (from https://github.com/frontarm/mdx-util) which seems to be abandoned (no commit for 3-odd years).

We have our own MDX loader that's constantly fixed and improved. Maybe you missed the @docusaurus prefix of the mdx-loader?

Because of that, docusaurus currently includes trim in version 0.0.1 which is prone to a High-severity CVE: GHSA-w5p7-h5w8-2hfq

These CVE audits mean nothing in front-end build pipelines, because the MDX loader is only run during build time. So unless you construct a super complex MDX document and DoS yourself, I can't possibly imagine how it could affect the downstream user. Please also see https://overreacted.io/npm-audit-broken-by-design/

Now, if you are looking for a non-MDX solution, we have #3018; if you are looking for upgrades to MDX v2 which has all the dependencies upgraded, we have #4029. In any case, I'll close this as a duplicate.

If you have any solid suggestions on how we can progress on either of those issues, feel free to post your thoughts under them!

@Josh-Cena Josh-Cena added closed: duplicate This issue or pull request already exists in another issue or pull request and removed status: needs triage This issue has not been triaged by maintainers labels Mar 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
closed: duplicate This issue or pull request already exists in another issue or pull request proposal This issue is a proposal, usually non-trivial change
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@peterkappelt @Josh-Cena