tripflex
commented
5 years ago I can confirm this as well, showing on mine that i'm using for generating awesome list https://github.com/tripflex/awesome-mongoose-os
Closed juanjoDiaz closed 3 years ago
tripflex
commented
5 years ago I can confirm this as well, showing on mine that i'm using for generating awesome list https://github.com/tripflex/awesome-mongoose-os
DavidWells
commented
5 years ago Thanks for the report
Do you know if this is fixed upstream in these markdown-toc > remarkable > argparse?
forresst
commented
5 years ago Here is the current state:
argparse: no longer uses underscore since February 19, 2015 (version 1.0.0)
remarkable: a version change was made from 0.1.15 to 1.0.10 on July 21, 2019 but remarkable was not versioned (only the master contains the modification)
markdown-toc: uses remarkable (version 1.7.1) since version 1.0.0 of markdown-toc. Note: markdown-toc has an issue for this vulnerability
DavidWells
commented
5 years ago Thanks for the insight!
How can we fix this? (Hopefully without forking and maintaining all the upstream deps?)
Are folks using markdown-magic on a server where this ddos vulnerability would be an issue?
DavidWells
commented
3 years ago Fixed with markdown-magic@2.3.0
Reported by
npm audit│ Moderate │ Regular Expression Denial of Service │ │ Package │ underscore.string │ │ Patched in │ >=3.3.5 │ │ Dependency of │ markdown-magic [dev] │ │ Path │ markdown-magic > markdown-toc > remarkable > argparse > │ │ │ underscore.string │ │ More info │ https://npmjs.com/advisories/745 │