search

xiaofuzi / rollup-plugin-md

a markdown rollup plugin.
23 stars 3 forks source link

dependencies out of date (throw security warning) #4

Open dhrp opened 4 years ago

dhrp commented 4 years ago

Thanks for providing this plugin.

It looks as if it's a bit out of date, but easy to fix.

                      === npm audit security report ===                        

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ marked                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.6.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ rollup-plugin-md                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ rollup-plugin-md > marked                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/812                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 moderate severity vulnerability in 2248 scanned packages
  1 vulnerability requires manual review. See the full report for details.
BobKerns commented 3 years ago

I have submitted pull request #6 which addresses this and other things.

I am planning to publish a temporary fork of it as @rwk/rollup-plugin-md, but it's not really worth switching if @xiaofuzi will update. He seems to be active on other projects on Github. This doesn't present any actual security issue in the context of this plugin.