Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: upgrade marked #862

Closed
wants to merge 1 commit into from
Closed

Conversation

541xxx
Copy link

@541xxx 541xxx commented Jun 5, 2019

Summary
Upgrade marked
Resolved #722
Related Marked #1466

What kind of change does this PR introduce? (check at least one)

  • Bugfix
  • Feature
  • Code style update
  • Refactor
  • Docs
  • Build-related changes
  • Other, please describe:

If changing the UI of default theme, please provide the before/after screenshot:

Does this PR introduce a breaking change? (check one)

  • Yes
  • No

If yes, please describe the impact and migration path for existing applications:

  1. Drop support for Node v0.10 and old browsers such as Internet Explorer
  2. You should not have any problems if using Node 4+ or a modern browser
    Add parameter slugger to Renderer.prototype.heading method #1401
    You should not have any problems if you do not override this method

The PR fulfills these requirements:

  • When resolving a specific issue, it's referenced in the PR's title (e.g. fix #xxx[,#xxx], where "xxx" is the issue number)

@541xxx 541xxx changed the title feat: Upgrade marked feat: upgrade marked Jun 6, 2019
@andywhite37
Copy link

andywhite37 commented Jun 12, 2019

Bumping this PR, as it also fixes a security alert that we just started getting for marked (which comes in as a dependency of docsify).

WS-2019-0024
More information
moderate severity
Vulnerable versions: >= 0.5.0, < 0.6.1
Patched version: 0.6.1

A flaw was found in nodejs-marked versions from 0.5.0 to before 0.6.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). Input to the host variable is vulnerable when input contains parenthesis in link URIs, coupled with a high number of link tokens in a single line.

@@ -42,7 +42,7 @@
"postinstall": "opencollective postinstall"
},
"dependencies": {
"marked": "^0.5.1",
"marked": "^0.6.2",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

might make more sense to go to 0.7.0 because I am seeing this:

───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ marked                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.7.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ docsify-cli [dev]                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ docsify-cli > docsify > marked                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1076  

@anikethsaha
Copy link
Member

Thanks for the PR. But this has been fixed already.
🙏

@anikethsaha anikethsaha closed this Dec 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

table in sub headers not rendering
4 participants