microsoft / frontend-bootcamp

Frontend Workshop from HTML/CSS/JS to TypeScript/React/Redux
https://microsoft.github.io/frontend-bootcamp/
Creative Commons Attribution 4.0 International
10.8k stars 1.22k forks source link

[Security] Bump marked from 0.6.1 to 1.1.1 #218

Closed dependabot-preview[bot] closed 2 years ago

dependabot-preview[bot] commented 4 years ago

Bumps marked from 0.6.1 to 1.1.1.

Release notes

Sourced from marked's releases.

1.1.1

Fixes

  • Fix image links with escaped brackets #1683
  • Fix async highlight not async #1685
  • Fix ordered lists that use ) delimiter #1704
  • Pass many more Em and Strong tests #1686 (Thanks @calculuschild)

Docs

  • Add favicon #1710
  • Decode hash #1712
  • Clarify level of support for Markdown flavors #1720
  • Fix quick ref #1729

Scripts

  • Add npm run rules #1726

1.1.0

Features

  • Add walkTokens option #1664

Fixes

  • Fix renderer.code includes space at beginning of each line of code #1645
  • Fix codespan newline #1652
  • Fix comma after underscore emphasis #1660
  • Fix loose task list with no tokens #1674
  • Add browser field in package.json pointing to es5 output #1661
  • Add newline to rendered code with language #1670
  • Fix async highlighter walking all tokens #1664

Docs

  • Add tokenizer to option docs #1662

1.0.0

Breaking changes

  • Add inline tokens to marked.lexer output #1627
  • Treat escape token same way as plain text tokens #1642
  • Add Tokenizer to allow extending token creation #1637

Features

  • Add marked.use() method to extend options #1646

Fixes

  • Fix intra-word emphasis can match the wrong asterisks #1636
Commits


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)
Microsoft Reviewers: Open in CodeFlow
dependabot-preview[bot] commented 4 years ago

We've just been alerted that this update fixes a security vulnerability:

Sourced from The GitHub Security Advisory Database.

Regular Expression Denial of Service in marked Affected versions of marked are vulnerable to Regular Expression Denial of Service (ReDoS). The _label subrule may significantly degrade parsing performance of malformed input.

Recommendation

Upgrade to version 0.7.0 or later.

Affected versions: [">= 0.4.0 < 0.7.0"]