Update dependencies to fix security issues

[royNiladri]

I am using doctoc in my project and getting security warnings for 2 dependencies.

Both are directly or indirectly related to doctoc, and hence dependabot is unable to bump them.

[greyscaled]

I have an outstanding PR for underscore - see #200 and the associated issue #199.

As for trim - this requires an upstream change in @textlint/markdown-to-ast and is being tracked here: textlint/textlint#717. They're using major version 5 of remark-parse that relied on trim 0.1. It's only removed in remark-parse version 9 and up.

In other words, underscore is actionable, but is awaiting review from @thlorenz . trim is going to need a bump from @textlint then one again here.

[royNiladri]

Thanks for the elaborate reply. Will wait it out. For me doctoc is a dev dependency and should not be impacting my end users. Since action items are already in the pipeline, feel free to mark it as a duplicate and close it.

[MapleCCC]

textlint has released v12.0.0. Seem like we can do the bump now.

[neozenith]

Perfect! I was following #199 and when it closed I was excited but confused there was still a high security alert for trim.

I have just chased through my package-lock.json but double checking every library in that chain seeing packages updated, only to land here with others already on top of everything. 😆

In the process textlint.markdow-to-ast relying on remark-parse picks up a rather major change to their markdown parsing engine support using the micromark engine:

https://github.com/remarkjs/remark/releases/tag/13.0.0

But yeah, thank you to all involved 👏

[geoffcorey]

Is there a PR associated yet to bump the version or do we need to create one?

[thlorenz]

The versions should've been bumped here #200 if I understand this correctly.

[AndrewSouthpaw]

Calling this closed.

[MapleCCC]

I think the closing of this issue is an overlook. This issue is about bumping the version of the dependency @textlint/markdown-to-ast to above 12.0.0 for security patching, while the PR #200 is about bumping the version of the dependency underscore to above 1.12.1. This issue is not resolved yet! Please reopen it to keep track of the issue.

[MapleCCC]

Bumping @textlint/markdown-to-ast from 6.1.7 to 12.0.0 rushes through six major versions. I am afraid we might need some change in our source code to accommodate the changes of @textlint/markdown-to-ast's API.

This is no small work :)

[AndrewSouthpaw]

Thanks! I did overlook that aspect. Reopening.

[fergiemcdowall]

Any progress here? Still getting [email protected] requires [email protected] via a transitive dependency on [email protected]

[ComLock]

Still a High Security Vulnerability

[jhillacre]

PR #225 seems to deal with this, but hadn't mentioned this issue.

[AndrewSouthpaw]

This should be fixed now with v2.2.0, lmk if you're seeing otherwise.

~/Projects/doctoc on master
$ npm audit
found 0 vulnerabilities