Regular Expression Denial of Service in 'marked' dependency before 0.7.0

SassDoc / sassdoc

Release the docs!

http://sassdoc.com

MIT License

1.41k stars 56 forks source link

Regular Expression Denial of Service in 'marked' dependency before 0.7.0 #543

Closed laurelstreng closed 4 years ago

laurelstreng commented 4 years ago

Greetings! I happened to run npm audit and ran into the following:

  Low             Regular Expression Denial of Service

  Package         marked

  Patched in      >=0.7.0

  Dependency of   sassdoc [dev] 

  Path            sassdoc > sassdoc-theme-default > sassdoc-extras > marked

  More info       https://npmjs.com/advisories/1076

Looks like there's a new version 0.8.0 available for marked

pascalduez commented 4 years ago

Hi @laurelstreng,

thanks for reporting. Would you like to submit a PR to update it?

laurelstreng commented 4 years ago

@pascalduez - Whoops, didn't realize it was for sassdoc-extras. Submitted a PR to sassdoc-extras https://github.com/SassDoc/sassdoc-extras/pull/43

pascalduez commented 4 years ago

sassdoc-extras@3.0.0.

We are not ready to tackle a breaking change here, so just upgrade sassdoc-extras@3.0.0 locally.