[Security] Bump marked from 0.3.6 to 0.6.0

[dependabot-preview]

Bumps marked from 0.3.6 to 0.6.0. This update includes security fixes.

Vulnerabilities fixed

Sourced from The npm Advisory Database.

Regular Expression Denial of Service
Affected versions of marked are vulnerable to a regular expression denial of service.

The amplification in this vulnerability is significant, with 1,000 characters resulting in the event loop being blocked for around 6 seconds.

Affected versions: <0.3.9

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects marked
marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser.

Affected versions: < 0.3.7

Sourced from The GitHub Security Advisory Database.

High severity vulnerability that affects marked
The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.

Affected versions: <0.3.9

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects marked
A Regular expression Denial of Service (ReDoS) vulnerability in the file marked.js of the marked npm package (tested on version 0.3.7) allows a remote attacker to overload and crash a server by passing a maliciously crafted string.

Affected versions: < 0.3.9

Sourced from The GitHub Security Advisory Database.

High severity vulnerability that affects marked
The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.

Affected versions: < 0.3.9

Release notes

Sourced from marked's releases.

0.6.0

Breaking Changes

• Drop support for Node v0.10 and old browsers such as Internet Explorer
  • You should not have any problems if using Node 4+ or a modern browser
• Add parameter slugger to Renderer.prototype.heading method #1401
  • You should not have any problems if you do not override this method

New Features

• Add new export marked.Slugger #1401

Fixes

• Fix emphasis followed by a punctuation #1383
• Fix bold around autolink email address #1385
• Make autolinks case insensitive #1384
• Make code fences compliant with Commonmark spec #1387
• Make blockquote paragraph continuation compliant with Commonmark spec #1394
• Make ordered list marker length compliant with Commonmark spec #1391
• Make empty list items compliant with Commonmark spec #1395
• Make tag escaping compliant with Commonmark spec #1397
• Make strong/bold compliant with Commonmark spec #1400
• Fix handling of adjacent lists #684
• Add better error handling when token type cannot be found #1005
• Fix duplicate heading id and non-latin characters #1401

CLI

• Pretty print ENOENT errors on cli #1396
• Update repo url in man #1403

Docs

• Fix breaks option description #1381
• Update docs to include "Since" version #1382
• Add defibrillator badge for mccraveiro #1392

Tests

• Remove old test covered by gfm/cm #1389

0.5.2

Bug Fixes

• Fix emphasis closing by single _ (part of left-flanking run) #1351
• Make URL handling consistent between links and images #1359

Other

... (truncated)

Commits

• 88a8561 Merge pull request #1404 from styfle/release-0.6.0
• 3160a47 0.6.0
• 991f3f7 Merge pull request #1392 from UziTech/defibrillator-mccraveiro
• 57fd147 🗜️ minify [skip ci]
• dfbc9a1 Merge pull request #1401 from styfle/slugger2
• 6dff94d Merge pull request #1403 from Krinkle/patch-1
• 0e75ab5 man: Update bugs url in text version
• 632ac5d Fix unit tests for slugger
• 5c926e2 Fix slugger & unit tests
• ffeb807 🗜️ minify [skip ci]
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by styfle, a new releaser for marked since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.

You can always request more updates by clicking Bump now in your Dependabot dashboard.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

[ChristophWurst]

Fixed in #13474

[dependabot-preview]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

[ChristophWurst]

Things to check (from #13474 (comment)):

• https://github.com/nextcloud/files_texteditor Ship own version of marked files_texteditor#128
• https://github.com/nextcloud/notes Ship own version of marked notes#292
• Announcements Move the 'marked' lib to the settings app and update it #13474 (comment) cc @nickvergessen Markdown support announcementcenter#130

cc @danielkesselberg

[rullzer]

Since this fixes a security issue lets bump this to 0.6.0!

@ChristophWurst can you fix the conflicts?