search

esdoc / esdoc

ESDoc - Good Documentation for JavaScript
https://esdoc.org
MIT License
2.74k stars 205 forks source link

Update "marked" dependency due to security vulnerability #492

Closed amirmohsen closed 6 years ago

amirmohsen commented 6 years ago

I am using ESDoc to generate documentation for my library. Github has given me an alert about a security issue with one of my dependencies, marked which is in fact a dependency of esdoc. Here's the result of running npm ls marked on my library:

+-- esdoc@1.0.4
| `-- marked@0.3.6
`-- esdoc-standard-plugin@1.0.0
  `-- esdoc-publish-html-plugin@1.1.0
    `-- marked@0.3.6  deduped

As you can see, both core and at least one of the plugins depend on it. Could you please upgrade marked to its latest version to address this security issue?

teppeis commented 6 years ago

Why are all dependencies locked? https://github.com/esdoc/esdoc/commit/86cf2206f7b53b599091573f888b8403635d96ca

amirmohsen commented 6 years ago

That's a good point. If your dependencies follow semver, you shouldn't have to lock them like that.

pixelass commented 6 years ago

reported here too: https://github.com/esdoc/esdoc-plugins/issues/50