Skip to content

feat: upgrade marked #862

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
541xxx wants to merge 1 commit into from
Closed

feat: upgrade marked #862

541xxx wants to merge 1 commit into from

Conversation

@541xxx
Copy link

@541xxx 541xxx commented Jun 5, 2019
edited
Loading

Summary
Upgrade marked
Resolved #722
Related Marked #1466

What kind of change does this PR introduce? (check at least one)

  • Bugfix
  • Feature
  • Code style update
  • Refactor
  • Docs
  • Build-related changes
  • Other, please describe:

If changing the UI of default theme, please provide the before/after screenshot:

Does this PR introduce a breaking change? (check one)

  • Yes
  • No

If yes, please describe the impact and migration path for existing applications:

  1. Drop support for Node v0.10 and old browsers such as Internet Explorer
  2. You should not have any problems if using Node 4+ or a modern browser
    Add parameter slugger to Renderer.prototype.heading method #1401
    You should not have any problems if you do not override this method

The PR fulfills these requirements:

  • When resolving a specific issue, it's referenced in the PR's title (e.g. fix #xxx[,#xxx], where "xxx" is the issue number)

@541xxx 541xxx changed the title feat: Upgrade marked feat: upgrade marked Jun 6, 2019
@andywhite37
Copy link

andywhite37 commented Jun 12, 2019
edited
Loading

Bumping this PR, as it also fixes a security alert that we just started getting for marked (which comes in as a dependency of docsify).

WS-2019-0024
More information
moderate severity
Vulnerable versions: >= 0.5.0, < 0.6.1
Patched version: 0.6.1

A flaw was found in nodejs-marked versions from 0.5.0 to before 0.6.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). Input to the host variable is vulnerable when input contains parenthesis in link URIs, coupled with a high number of link tokens in a single line.

@andywhite37 andywhite37 mentioned this pull request Jun 12, 2019
Closed
@mlms13 mlms13 mentioned this pull request Jul 11, 2019
Closed
awm086
awm086 reviewed Aug 12, 2019
View reviewed changes
package.json
},
"dependencies": {
"marked": "^0.5.1",
"marked": "^0.6.2",
Copy link

@awm086 awm086 Aug 12, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

might make more sense to go to 0.7.0 because I am seeing this:

───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ marked                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.7.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ docsify-cli [dev]                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ docsify-cli > docsify > marked                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1076

@anikethsaha
Copy link
Member

anikethsaha commented Dec 3, 2019

Thanks for the PR. But this has been fixed already.
🙏

@anikethsaha anikethsaha closed this Dec 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@awm086 awm086 awm086 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

table in sub headers not rendering

4 participants

@541xxx @andywhite37 @anikethsaha @awm086