Should resolve several Dependabot updates. I've omitted a few, but they're very low-risk.
ssri deep inside react-scripts refuses to update, and as it's a ReDoS issue and is only used very indirectly in a Webpack plugin (read: not run against external input of any kind), I don't see much of an issue here.
postcss also has a ReDoS issue, but once again, that's pretty much meaningless as we're not running it on input outside this repo. It amounts to 99% of the warnings within npm audit.
The react-markdown update was very non-trivial with two major versions worth of breaking changes, so I decided it'd be a better use of time to just replace it and its underlying remark parser with Marked, a much more stable parser (it's had no major breaking change in years), and just use that directly rather than going through a third party component. Also, DOMPurify just happened to already exist, so adding it as a dependency doesn't actually bloat the bundle any. I've tested the changes and have manually verified it works as desired, including ensuring that Swagger API descriptions are sanitized of scripting and other similarly dangerous stuff.
Also added a couple features:
GitHub Flavored Markdown is now supported
Headers in custom content fragments now include IDs prefixed with header-, so you can reference things like # Section Header via #header-section-header.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Issue #, if available:
Description of changes:
Should resolve several Dependabot updates. I've omitted a few, but they're very low-risk.
ssri
deep insidereact-scripts
refuses to update, and as it's a ReDoS issue and is only used very indirectly in a Webpack plugin (read: not run against external input of any kind), I don't see much of an issue here.postcss
also has a ReDoS issue, but once again, that's pretty much meaningless as we're not running it on input outside this repo. It amounts to 99% of the warnings withinnpm audit
.The
react-markdown
update was very non-trivial with two major versions worth of breaking changes, so I decided it'd be a better use of time to just replace it and its underlyingremark
parser with Marked, a much more stable parser (it's had no major breaking change in years), and just use that directly rather than going through a third party component. Also, DOMPurify just happened to already exist, so adding it as a dependency doesn't actually bloat the bundle any. I've tested the changes and have manually verified it works as desired, including ensuring that Swagger API descriptions are sanitized of scripting and other similarly dangerous stuff.Also added a couple features:
header-
, so you can reference things like# Section Header
via#header-section-header
.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.