We recently undertook the task of upgrading our Vue 2 codebase to Vue 3. During this process, we encountered a high severity vulnerability when performing an npm update. The specific error is related to the "marked" package, and the details are as follows:
Upon further investigation, we discovered that this vulnerability is tied to the "vueditor" package, specifically when the version of "marked" is at 12.0.1. The dependency chain looks like this:
npm list marked
+-- marked@12.0.1
-- vueditor@0.3.1 -- marked@0.3.19
To mitigate this issue, we found that removing the "vueditor" package resolves the vulnerability. However, we would like to continue using the "vueditor" package while ensuring compatibility with Vue 3.
We kindly request that you consider upgrading the "marked" version in the "vueditor" package to a version that is both secure and compatible with Vue 3.
Hi,
We recently undertook the task of upgrading our Vue 2 codebase to Vue 3. During this process, we encountered a high severity vulnerability when performing an npm update. The specific error is related to the "marked" package, and the details are as follows:
here is the error.
marked <=4.0.9 Severity: high Marked ReDoS due to email addresses being evaluated in quadratic time - https://github.com/advisories/GHSA-xf5p-87ch-gxw2 Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-rrrm-qjm4-v8hf Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-5v2h-r2cx-5xgj
Upon further investigation, we discovered that this vulnerability is tied to the "vueditor" package, specifically when the version of "marked" is at 12.0.1. The dependency chain looks like this:
npm list marked +-- marked@12.0.1
-- vueditor@0.3.1-- marked@0.3.19To mitigate this issue, we found that removing the "vueditor" package resolves the vulnerability. However, we would like to continue using the "vueditor" package while ensuring compatibility with Vue 3.
We kindly request that you consider upgrading the "marked" version in the "vueditor" package to a version that is both secure and compatible with Vue 3.
Thanks,