Security Vulnerabilities

[bennycode]

I installed docsify-cli v4.4.4 and got several security reports in my repo:

• Inefficient Regular Expression Complexity in marked: docsify-cli@4.4.4 requires marked@^1.2.9 via a transitive dependency on docsify@4.13.1 typedoc@0.24.8 requires marked@^4.3.0
• Got allows a redirect to a UNIX socket: docsify-cli@4.4.4 requires got@^9.6.0 via a transitive dependency on package-json@6.5.0
• Regular Expression Denial of Service (REDoS) in Marked: docsify-cli@4.4.4 requires marked@^1.2.9 via a transitive dependency on docsify@4.13.1 typedoc@0.24.8 requires marked@^4.3.0

[yonjans]

Same +1

[adamlui]

Same +1, for marked it now says "The earliest fixed version is 4.0.10."

For got "Got allows a redirect to a UNIX socket" the earliest fixed version is 11.8.5

[prabhu]

update-notifier is resulting in a got vulnerability. I honestly cannot understand why this CLI even needs an update notifier, or such extra fancy features as direct dependencies.

[erika9star]

The fixed version of update-notifier is incompatible with docsify-cli (ECMAscript vs vanilla JS). Removing update-notifier is probably the easiest way to eliminate the vulnerabilities.