Remarkable Dependency Vulnerability

jonschlinkert / markdown-toc

API and CLI for generating a markdown TOC (table of contents) for a README or any markdown files. Uses Remarkable to parse markdown. Used by NASA/openmct, Prisma, Joi, Mocha, Sass, Prettier, Orbit DB, FormatJS, Raneto, hapijs/code, webpack-flow, docusaurus, release-it, ts-loader, json-server, reactfire, bunyan, husky, react-easy-state, react-snap, chakra-ui, carbon, alfresco, repolinter, Assemble, Verb, and thousands of other projects.

https://github.com/jonschlinkert

MIT License

1.64k stars 706 forks source link

Remarkable Dependency Vulnerability #156

Open KarinBlanford opened 4 years ago

KarinBlanford commented 4 years ago

The dependency Remarkable has been updated to use autolinker v3.0.0+ as there was a DOS vulnerability in autolinker v0.28.1 (https://snyk.io/vuln/SNYK-JS-AUTOLINKER-73494).

Updating Remarkable to v2.0.0+ will resolve the issue.

Old - https://github.com/jonschlinkert/remarkable/blob/v1.7.4/package.json#L66 New - https://github.com/jonschlinkert/remarkable/blob/v2.0.0/package.json#L81

Currently unable to install markdown-toc due to older version of autolinker being quarantined on corporate npm registry.

ramonpetgrave64 commented 3 months ago

For those still affected, I've been able to get around this by adding an override to my package.json. deps.dev was a huge help to figuring out the dependency chain and that versions higher than autolinker>=0.2.1 is not vulnerable, but v4.0.0 seems to work fine for me. I even cloned the markdown-toc repo, added this fix, and ran its test. They pass!

  "overrides": {
    "autolinker": ">= 4.0.0 ^4.0.0"
  }

I have a pending fix here https://github.com/jonschlinkert/markdown-toc/pull/195. @KarinBlanford , @jonschlinkert , @doowb