Skip to content

Breaking Change in Dependency Chain for @tryfabric/martian Due to Vulnerable Versions of packagesΒ #65

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
Breaking Change in Dependency Chain for @tryfabric/martian Due to Vulnerable Versions of packages#65
@FazCodeFR

Description

@FazCodeFR
FazCodeFR
opened on Sep 23, 2024

I am encountering a breaking change issue when attempting to update @tryfabric/martian to version 1.2.0. It involves a chain of dependencies, including vulnerable versions of katex, micromark-extension-math, and remark-math.

Below are the details of the issue: npm audit

Will install @tryfabric/martian@1.2.0, which is a breaking change
node_modules/katex
  micromark-extension-math  <=2.0.2
  Depends on vulnerable versions of katex
  node_modules/micromark-extension-math
    remark-math  4.0.0 - 5.0.0
    Depends on vulnerable versions of micromark-extension-math
fix available via `npm audit fix --force`
Will install @tryfabric/martian@1.2.0, which is a breaking change
node_modules/katex
  micromark-extension-math  <=2.0.2
  Depends on vulnerable versions of katex
  node_modules/micromark-extension-math
    remark-math  4.0.0 - 5.0.0
    Depends on vulnerable versions of micromark-extension-math
Will install @tryfabric/martian@1.2.0, which is a breaking change
node_modules/katex
  micromark-extension-math  <=2.0.2
  Depends on vulnerable versions of katex
  node_modules/micromark-extension-math
    remark-math  4.0.0 - 5.0.0
    Depends on vulnerable versions of micromark-extension-math
  node_modules/micromark-extension-math
    remark-math  4.0.0 - 5.0.0
    Depends on vulnerable versions of micromark-extension-math
    node_modules/remark-math
      @tryfabric/martian  >=1.2.4
      Depends on vulnerable versions of remark-math
      node_modules/@tryfabric/martian
    node_modules/remark-math
      @tryfabric/martian  >=1.2.4
      Depends on vulnerable versions of remark-math
    node_modules/remark-math
      @tryfabric/martian  >=1.2.4
    node_modules/remark-math
      @tryfabric/martian  >=1.2.4
      Depends on vulnerable versions of remark-math
      node_modules/@tryfabric/martian

The issue involves:

  • micromark-extension-math (<=2.0.2) depending on vulnerable versions of katex
  • remark-math (4.0.0 - 5.0.0) depending on vulnerable versions of micromark-extension-math
  • The installation of @tryfabric/martian@1.2.0 results in a breaking change

A potential fix has been suggested via npm audit fix --force, but this could break compatibility. Could you please provide guidance or an updated release to address this issue?

Thank you!

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions