svelte-katex uses outdated katex dependency with security vulnerabilities

[LUK4S-B]

Describe the bug

svelte-katex uses outdated katex dependency with security vulnerabilities:

# npm audit report

katex  0.10.0-beta - 0.16.9
Severity: moderate
KaTeX missing normalization of the protocol in URLs allows bypassing forbidden protocols - https://github.com/advisories/GHSA-3wc5-fcw2-2329
KaTeX's `\includegraphics` does not escape filename - https://github.com/advisories/GHSA-f98w-7cxr-ff2h
KaTeX's maxExpand bypassed by Unicode sub/superscripts - https://github.com/advisories/GHSA-cvr6-37gx-v8wc
KaTeX's maxExpand bypassed by `\edef` - https://github.com/advisories/GHSA-64fm-8hw2-v72w
No fix available
node_modules/svelte-katex/node_modules/katex
  svelte-katex  *
  Depends on vulnerable versions of katex
  node_modules/svelte-katex

2 moderate severity vulnerabilities

In all three links, it is adviced to update to Katex 0.16.10 instead. So there are patches already - svelte-katex just doesn't use the most up to date version.

Reproduction

create svelte project, and run npm install svelte-katex. It will show that there are moderate security vulnerabilities.

Logs

No response

System Info

not relevant, I believe

Severity

annoyance

[Conduitry]

svelte-katex isn't written by us.