Vulnerable Dependency

[jasonchavez520]

Remark Parse using old/vulnerable trim library. According to snyk, trim 0.0.1 is vulnerable to the following: https://snyk.io/vuln/SNYK-JS-TRIM-1017038

Can trim be updated to version 1.0.0?

Thank you.

[ChristianMurphy]

remark-parse doesn't use trim, here is the current dependency tree.

remark-parse@9.0.0
└─┬ mdast-util-from-markdown@0.8.4
  ├─┬ @types/mdast@3.0.3
  │ └── @types/unist@2.0.3
  ├── mdast-util-to-string@2.0.0
  ├─┬ micromark@2.11.2
  │ ├─┬ debug@4.3.1
  │ │ └── ms@2.1.2
  │ └── parse-entities@2.0.0 deduped
  ├─┬ parse-entities@2.0.0
  │ ├── character-entities-legacy@1.1.4
  │ ├── character-entities@1.2.4
  │ ├── character-reference-invalid@1.1.4
  │ ├─┬ is-alphanumerical@1.0.4
  │ │ ├── is-alphabetical@1.0.4
  │ │ └── is-decimal@1.0.4 deduped
  │ ├── is-decimal@1.0.4
  │ └── is-hexadecimal@1.0.4
  └─┬ unist-util-stringify-position@2.0.3
    └── @types/unist@2.0.3 deduped

You may be on an old version or remark, or have locked trim in with a yarn.lock or package-lock.json file.
Consider upgrading remark/remark parse, and running npm upgrade or yarn upgrade.