deps: Update `markdown-it` to fix vulnerability warnings

iamacup / react-native-markdown-display

React Native 100% compatible CommonMark renderer

MIT License

564 stars 166 forks source link

deps: Update `markdown-it` to fix vulnerability warnings #204

Open mthahzan opened 6 months ago

mthahzan commented 6 months ago

As shown on #202 markdown-it v10.x.x includes certain vulnerabilities which were fixed on subsequent versions. This updates the dependency to fix these vulnerabilities.

sainjay commented 4 months ago

@iamacup @miallo @RonRadtke kindly merge so that the Synk Vulnerability can be resolved: https://security.snyk.io/vuln/SNYK-JS-MARKDOWNIT-6483324?_gl=1%2a1l4vawo%2a_ga%2aMTkzNjU3NTQyNC4xNjg3MzYxMzIx%2a_ga_X9SH3KP7B4%2aMTcxMTQ3MTc1OS42Ni4xLjE3MTE0NzE3NzUuMC4wLjA.

lernerb commented 4 months ago

@iamacup Can we please fix this security vulmn for the community?

david-gettins commented 4 months ago

@mthahzan there is an update to the @types/markdown-it also. Currently it is at 14.0.1 which you haven't included in this PR.

mthahzan commented 4 months ago

@david-gettins thanks! PR Updated.

Also, I noticed latest version of markdown-it is 14.1.0 now. Didn't have the time to test it out to see if works or not. If someone can verify, I can bump the version of that as well.

lautenschlager-dev commented 3 months ago

Any plans when this will be merged?

sainjay commented 3 months ago

This vulnerability is still there. Kindly this merged other we'll have to migrate to a different library.

david-gettins commented 3 months ago

If like myself you would like a temporary workaround for the audit issues you can use force-resolutions to force the fixed version of markdown-it. Just beware there may be compatibility issues, but I haven't come across any yet.

Of course, you can always look for an alternative library. If you find one, please let us all know. I would prefer not to use the forced resolution.

sobrinho commented 1 month ago

@iamacup ping

javigutierrezfer commented 2 weeks ago

Is there any update on this?? @iamacup

sainjay commented 2 weeks ago

@javigutierrezfer i use bun and fixed it by setting the patch version in overrides

"overrides": { "markdown-it": "14.0.0", }

Didn't notice any issues.

sergioisidoro commented 1 day ago

I'm also getting this some upstream issues with markdown-it. Updating this dep might be helpful https://github.com/markdown-it/markdown-it/issues/958 (See linked issue inside, refering to the release of entities and update of that dependency)