Expecting a new release from `develop` branch to resolve `marked` dependency vulnerabilities

somnathpathak commented 7 months ago

Bug Report

Steps to reproduce

npm install docsify npm audit

Current behaviour

Bump the marked devDependency to 4.2.12 in new release

Expected behaviour

Currently, marked is at 1.2.9 which results in following vulnerabilities:

Regular Expression Denial of Service (REDoS) in Marked - https://github.com/advisories/GHSA-4r62-v4vq-hr96
Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-rrrm-qjm4-v8hf
Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-5v2h-r2cx-5xgj

Other relevant information

Docsify version: 4.13.1

[ ] Bug still occurs when all/other plugins are disabled?
Docsify plugins (if the bug happens when plugins enabled, please try to isolate the issue):

Please create a reproducible sandbox

Mention the docsify version in which this bug was not present (if any)

develop branch. NOT YET RELEASED.

somnathpathak commented 7 months ago

@jhildenbiddle @QingWei-Li Could you please look into this.

trusktr commented 7 months ago

Hi, thanks for getting involved!

Its nice to be up to date with libraries, but if you had an issue with this, you can easily change the offending markup in your markdown.

It would be far more valuable to know what problem you specifically face, if anything, rather than just assuming that posting npm audit results is always meaningful.

We will release when ready.

In the meantime, if you have an actual problem with a piece of markdown, please open another issue.

docsifyjs / docsify