Update marked and handlebars to handle security vulnerabilities.

[kgrubb]

This is just a quick update to account for the following vulnerabilities: https://npmjs.com/advisories/755 https://npmjs.com/advisories/812 https://npmjs.com/advisories/612

[75lb]

jsdoc2md is a command-line tool for use in private context not a public-facing, always-on service exposed to potential attack. Its output is plain text. Security advisories do not apply.

[Thr4wn]

@75lb, What concerns do you have by merging this? I mean, isn't it just as easy to click the merge button as it is to click the 'close ticket' button? Are you afraid this merge will break something?

Why not shift your burden of proof? It sound like you are placing burden on @kgrubb and others to prove how the security warnings above can be exploited. That attitude has proven problematic in the past. For example: https://justi.cz/security/2019/01/22/apt-rce.html . In that example, people were always saying "non-encrypted http is ok in this context because ..." -- but then it literally turned out to not be ok. Someone found a way for remote code execution, and because http wasn't encrypted, the exploit was possible.

While I don't disagree with your conclusions, it takes zero effort (IMO) to accept a PR that adopts a better security philosophy.

[75lb]

Are you afraid this merge will break something?

It does break something. The PR upgrades marked from ^0.3.16 to ^0.6.2, an upgrade which introduces many breaking changes: https://github.com/markedjs/marked/releases

jsdoc2md is a disconnected, short-lived, text-in-text-out processing tool - it presents absolutely zero security risk.

[Thr4wn]

yeah, very fair point. I forgot that semver 0.x.x is always considered unstable, so any change can be breaking.

[kgrubb]

Makes sense, sounds like the real problem is npm audit in my personal use-case. It checks dev dependencies, which don't really matter for a production build. Thanks for clarifying the stance for jsdoc2md deps. :+1: