Update node_module vulnerable transitive dependencies "nth-check" and "trim".

[VictorGFM]

Have you read the Contributing Guidelines on issues?

• I have read the Contributing Guidelines on issues.

Prerequisites

• I'm using the latest version of Docusaurus.
• I have tried the npm run clear or yarn clear command.
• I have tried rm -rf node_modules yarn.lock package-lock.json and re-installing packages.
• I have tried creating a repro with https://new.docusaurus.io.
• I have read the console error message carefully (if applicable).

Description

The current version of docusaurus (2.0.0-beta.14) relies on some transitive dependencies that are vulnerable. The GitHub already reported the CVEs related to those dependencies but the docusaurus still using them, so would be good if they could get upgraded.

• nth-check@~1.0.1 -> related CVE
• trim@0.0.1 -> related CVE

Steps to reproduce

Verify the dependencies described in the description.

Expected behavior

Use the updated versions of the described dependencies.

Actual behavior

The versions of the described dependencies are vulnerable.

Your environment

• Public source code:
• Public site URL:
• Docusaurus version used:
• Environment name and version (e.g. Chrome 89, Node.js 16.4):
• Operating system and version (e.g. Ubuntu 20.04.2 LTS):

Reproducible demo

No response

Self-service

• I'd be willing to fix this bug myself.

[Josh-Cena]

Hi! If we could upgrade we would already, we regularly regenerate our lockfile to make our dependencies are the latest version possible (#6341). However, these dependencies are transitively depended on, so the upgrade doesn't depend on us.

Security auditing is broken in the front end, because much of the time, these CVEs don't actually impact anyone. I recommend you to read this Dan Abramov blog post: https://overreacted.io/npm-audit-broken-by-design/ And to back up this assertion, here's why we have these two dependencies:

=> Found "trim@0.0.1"
info Reasons this module exists
   - "_project_#remark-parse" depends on it

=> Found "cheerio#nth-check@1.0.2"
info Reasons this module exists
   - "_project_#@docusaurus#core#@slorber#static-site-generator-webpack-plugin#cheerio#css-select" depends on it

remark-parse is used to generate JSX from MDX. The static site generator plugin is also only a tool during build. Both of them are only used during the build phase and aren't sent down to the client. You shouldn't worry about security during the build phase, because the people who wrote the code and the people who run the build are the same group of people.

In short, upgrading involves unnecessary trouble (big architectural changes across major versions) while it doesn't actually fix any security issues. I'm going to close this as wontfix. Thanks for taking interest in this.

[VictorGFM]

I see, thanks for the explanation!