cloudflare-workers-and-pages[bot]
commented
2 years ago Closed renovate[bot] closed 2 years ago
cloudflare-workers-and-pages[bot]
commented
2 years ago 
netlify[bot]
commented
2 years ago | Name | Link |
|---|---|
| Latest commit | 283f3924d1a8a02f67c85988264470a95ea9549a |
| Latest deploy log | https://app.netlify.com/sites/blog-katio-net/deploys/628ba4a64972f500074cbd4b |
renovate[bot]
commented
2 years ago Because you closed this PR without merging, Renovate will ignore this update (^0.8.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.
If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.
This PR contains the following updates:
^0.7.0->^0.8.0GitHub Vulnerability Alerts
CVE-2022-21680
Impact
What kind of vulnerability is it?
Denial of service.
The regular expression
block.defmay cause catastrophic backtracking against some strings. PoC is the following.Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Patches
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
CVE-2022-21681
Impact
What kind of vulnerability is it?
Denial of service.
The regular expression
inline.reflinkSearchmay cause catastrophic backtracking against some strings. PoC is the following.Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Patches
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
Release Notes
markedjs/marked
### [`v0.8.2`](https://togithub.com/markedjs/marked/releases/tag/v0.8.2) [Compare Source](https://togithub.com/markedjs/marked/compare/v0.8.1...v0.8.2) #### Fixes - Add html to TextRenderer for html in headings [#1622](https://togithub.com/markedjs/marked/issues/1622) - Remove html tags in heading ids [#1622](https://togithub.com/markedjs/marked/issues/1622) #### Docs - Update comment about GitHub breaks [#1620](https://togithub.com/markedjs/marked/issues/1620) ### [`v0.8.1`](https://togithub.com/markedjs/marked/releases/tag/v0.8.1) [Compare Source](https://togithub.com/markedjs/marked/compare/v0.8.0...v0.8.1) #### Fixes - Fix `marked --help` [#1588](https://togithub.com/markedjs/marked/issues/1588) - Fix GFM Example 116 code fences [#1600](https://togithub.com/markedjs/marked/issues/1600) - Send inline html to renderer [#1602](https://togithub.com/markedjs/marked/issues/1602) (fixes [#1601](https://togithub.com/markedjs/marked/issues/1601)) - Improve docs example for invoking highlight.js [#1603](https://togithub.com/markedjs/marked/issues/1603) - Fix block-level elements breaking tables [#1598](https://togithub.com/markedjs/marked/issues/1598) (fixes [#1467](https://togithub.com/markedjs/marked/issues/1467)) - break nptables on block-level structures [#1617](https://togithub.com/markedjs/marked/issues/1617) ### [`v0.8.0`](https://togithub.com/markedjs/marked/releases/tag/v0.8.0) [Compare Source](https://togithub.com/markedjs/marked/compare/v0.7.0...v0.8.0) #### Breaking changes - Remove substitutions [#1532](https://togithub.com/markedjs/marked/issues/1532) - Separate source into modules [#1563](https://togithub.com/markedjs/marked/issues/1563) [#1572](https://togithub.com/markedjs/marked/issues/1572) [#1573](https://togithub.com/markedjs/marked/issues/1573) [#1575](https://togithub.com/markedjs/marked/issues/1575) [#1576](https://togithub.com/markedjs/marked/issues/1576) [#1581](https://togithub.com/markedjs/marked/issues/1581) #### Fixes - Fix relative urls in `baseUrl` option [#1526](https://togithub.com/markedjs/marked/issues/1526) - Loose task list [#1535](https://togithub.com/markedjs/marked/issues/1535) - Fix image parentheses [#1557](https://togithub.com/markedjs/marked/issues/1557) - remove module field & update devDependencies [#1581](https://togithub.com/markedjs/marked/issues/1581) #### Docs - Update examples with es6+ [#1521](https://togithub.com/markedjs/marked/issues/1521) - Fix link to USING_PRO.md page [#1552](https://togithub.com/markedjs/marked/issues/1552) - Fix typo in USING_ADVANCED.md [#1558](https://togithub.com/markedjs/marked/issues/1558) - Node worker threads are stable [#1555](https://togithub.com/markedjs/marked/issues/1555) #### Dev Dependencies - Update deps [#1516](https://togithub.com/markedjs/marked/issues/1516) - Update eslint [#1542](https://togithub.com/markedjs/marked/issues/1542) - Update htmldiffer async matcher [#1543](https://togithub.com/markedjs/marked/issues/1543)Configuration
📅 Schedule: "" (UTC).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.