search

esdoc / esdoc-plugins

MIT License
139 stars 74 forks source link

Security vulnerability in esdoc-publish-html-plugin using marked@0.3.19 #85

Open zachawilson opened 5 years ago

zachawilson commented 5 years ago

Both esdoc and esdoc-publish-html-plugin depend on 'marked', which has a security warning in the npm audit report.

Please upgrade to >=0.6.2 of marked to resolve this audit failure.

See: https://nodesecurity.io/advisories/812 for more information

npm audit --registry https://registry.npmjs.org

                       === npm audit security report ===

                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance

  Moderate        Regular Expression Denial of Service

  Package         marked

  Patched in      >=0.6.2

  Dependency of   esdoc [dev]

  Path            esdoc > marked

  More info       https://nodesecurity.io/advisories/812

  Moderate        Regular Expression Denial of Service

  Package         marked

  Patched in      >=0.6.2

  Dependency of   esdoc-standard-plugin [dev]

  Path            esdoc-standard-plugin > esdoc-publish-html-plugin > marked

  More info       https://nodesecurity.io/advisories/812

found 2 moderate severity vulnerabilities in 859520 scanned packages
  2 vulnerabilities require manual review. See the full report for details.