Closed dependabot[bot] closed 2 years ago
Please merge! It fixes an exploit.
WS-2019-0027 https://github.com/markedjs/marked/commit/b15e42b67cec9ded8505e9d68bb8741ad7a9590d moderate severity
Vulnerable versions: < 0.3.18 Patched version: 0.3.18
Versions 0.3.17 and earlier of marked has Four regexes were vulnerable to catastrophic backtracking. This leaves markdown servers open to a potential REDOS attack.
@grant-g @jenschlot Sorry to bother you, but the security alert is 9 months old and I cannot resolve this on my end because it is the dependency of a dependency.
@Simran-B The only reason I'm delaying on this is to compare a before-and-after runs on a set of docs to see the HTML generation changes this would bring with it. I will try to get to this soon.
FWIW the potential exploit should not prove to be a problem unless you receive and process source content unchecked from external sources. I believe the patterns in source that would be needed to cause these problems are somewhat specific and unusual.
Superseded by #35.
Bumps marked from 0.3.9 to 0.3.18.
Release notes
*Sourced from [marked's releases](https://github.com/markedjs/marked/releases).* > ## Minor fixes and updated docs > - Supported Markdown flavors: CommonMark 0.28 and GitHub Flavored Markdown 0.28 > - Updates to our CI pipeline; we're all green! [#1098](https://github-redirect.dependabot.com/markedjs/marked/issues/1098) with the caveat that there is a test that needs to get sorted (help us out [#1092](https://github-redirect.dependabot.com/markedjs/marked/issues/1092)) > - Start ordered lists using the initial numbers from markdown lists ([#1144](https://github-redirect.dependabot.com/markedjs/marked/issues/1144)) > - Added GitHub Pages site for documentation https://marked.js.org/ ([#1138](https://github-redirect.dependabot.com/markedjs/marked/issues/1138)) > > ## Processes and tools > - The elephant in the room: A security vulnerability was discovered and fixed. Please note, if something breaks due to these changes, it was not our intent, and please let us know by submitting a PR or issue to course correct (the nature of the zero-major release and having security as a number one priority) [#1083](https://github-redirect.dependabot.com/markedjs/marked/issues/1083) > - The other elephant in the room: We missed publishing a 0.3.16 release to GitHub; so, trying to make up for that a bit. > - Updates to the project documentation and operations, you should check it out, just start with the README and you should be good. > - New release PR template available [#1076](https://github-redirect.dependabot.com/markedjs/marked/issues/1076) > - Updates to default PR and Issue templates [#1076](https://github-redirect.dependabot.com/markedjs/marked/issues/1076) > - Lint checks + tests + continuous integration using Travis [#1020](https://github-redirect.dependabot.com/markedjs/marked/issues/1020) > - Updated testing output [#1085](https://github-redirect.dependabot.com/markedjs/marked/issues/1085) & [#1087](https://github-redirect.dependabot.com/markedjs/marked/issues/1087) > > ## Fix capturing parens > Fixes unintended breaking change from v0.3.14 > > ## New year, new home > - Marked has a new home under the MarkedJS org! Other advances soon to come. > - Updated minifier. > - Various parser fixes > > ## New Year, new Marked! > - Addresses issue where some users might not have been able to update due to missing `use strict` [#991](https://github-redirect.dependabot.com/markedjs/marked/issues/991) > - Parser fix [#977](https://github-redirect.dependabot.com/markedjs/marked/issues/977) > - New way to perform tests with options and running individual tests [#1002](https://github-redirect.dependabot.com/markedjs/marked/issues/1002) > - Improved test cases > - Improved linksCommits
- [`c1e19a9`](https://github.com/markedjs/marked/commit/c1e19a9dec09a3c92524506128754aa4672b365b) Merge pull request [#1152](https://github-redirect.dependabot.com/markedjs/marked/issues/1152) from 8fold/release-0.3.18 - [`98c9d14`](https://github.com/markedjs/marked/commit/98c9d147ad3969eabf647f8fd1fe7b211544670a) Update home page - [`5d5fa04`](https://github.com/markedjs/marked/commit/5d5fa049ad669ead249812d370c78da9ea7f94de) 0.3.18 - [`6661fe5`](https://github.com/markedjs/marked/commit/6661fe503e04c8846b5df14c91e73fcf76c20bd9) Merge pull request [#1148](https://github-redirect.dependabot.com/markedjs/marked/issues/1148) from 8fold/styfle-admin - [`5d3d70a`](https://github.com/markedjs/marked/commit/5d3d70a5c859e3e067683737d067a075d7217b56) Merge pull request [#1144](https://github-redirect.dependabot.com/markedjs/marked/issues/1144) from paulroub/OL_initial_numbers - [`002c565`](https://github.com/markedjs/marked/commit/002c565ee926b5eb6e37b7542066429713524bcd) Merge pull request [#1151](https://github-redirect.dependabot.com/markedjs/marked/issues/1151) from wraith13/master - [`2c20df9`](https://github.com/markedjs/marked/commit/2c20df95c45d5f9bca06d7598571a37fafb02e1d) Fix usage links in USING_ADVANCED.md - [`f69a82f`](https://github.com/markedjs/marked/commit/f69a82f7bcf856d2001f8c980d96c924910e74ac) Remove redundant cast - [`f886f40`](https://github.com/markedjs/marked/commit/f886f40d8dd94ce5cbf443d959c7870334fc721c) Merge pull request [#1147](https://github-redirect.dependabot.com/markedjs/marked/issues/1147) from 8fold/update-badges - [`78a0258`](https://github.com/markedjs/marked/commit/78a0258d81509f90ee5d6c9daac63f109ad9e00a) styfle to admin - Additional commits viewable in [compare view](https://github.com/markedjs/marked/compare/0.3.9...v0.3.18)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/IBM/marked-it/network/alerts).