Closed valentijnscholten closed 3 years ago
Dependabot did open a PR for it 😉
I wanted to give it a couple of days because I was hoping they'd backport the security issue fix to a 1.x.x version, but this now seems unlikely to happen.
What I'm going to do: I'll merge the PR by dependabot (#298) into the main branch. It'll get pushed to the next
tag so we can test if everything still works as expected. After a few days I'll release 2.13.1, does this sound ok?
Jazeker!
I could have sworn I checked the PR list before submitting, but maybe just the issue list. But dependabot currently doesn't open a PR for marked in projects that are depending on easymde. Anyway, no rush, good to hear it will be happening.
The
marked
dependency is vulnerable to a Dos/ReDos attack: https://github.com/advisories/GHSA-4r62-v4vq-hr96Although I am not sure if this affects EasyMDE itself or its usecases, it would still be good to test/support/allow version 2.0.0 or higher of
marked
which is the first version where this is fixed.Currently
marked
seems "pinned" to^1.2.6
which prevents for example dependabot from updating it in projects using EasyMDE.