search

Ionaru / easy-markdown-editor

EasyMDE: A simple, beautiful, and embeddable JavaScript Markdown editor. Delightful editing for beginners and experts alike. Features built-in autosaving and spell checking.
https://stackblitz.com/edit/easymde
MIT License
2.39k stars 316 forks source link

allow marked version 2.0.0 and higher #299

Closed valentijnscholten closed 3 years ago

valentijnscholten commented 3 years ago

The marked dependency is vulnerable to a Dos/ReDos attack: https://github.com/advisories/GHSA-4r62-v4vq-hr96

Although I am not sure if this affects EasyMDE itself or its usecases, it would still be good to test/support/allow version 2.0.0 or higher of marked which is the first version where this is fixed.

Currently marked seems "pinned" to ^1.2.6 which prevents for example dependabot from updating it in projects using EasyMDE.

Ionaru commented 3 years ago

Dependabot did open a PR for it 😉

I wanted to give it a couple of days because I was hoping they'd backport the security issue fix to a 1.x.x version, but this now seems unlikely to happen.

What I'm going to do: I'll merge the PR by dependabot (#298) into the main branch. It'll get pushed to the next tag so we can test if everything still works as expected. After a few days I'll release 2.13.1, does this sound ok?

valentijnscholten commented 3 years ago

Jazeker!

I could have sworn I checked the PR list before submitting, but maybe just the issue list. But dependabot currently doesn't open a PR for marked in projects that are depending on easymde. Anyway, no rush, good to hear it will be happening.