Skip to content
This repository was archived by the owner on Jan 19, 2023. It is now read-only.

fix(deps): update dependency marked to v4 [security] #169

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update dependency marked to v4 [security] #169

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 7, 2022
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
marked (source) ^3.0.0 -> ^4.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-21680

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.

import * as marked from "marked";

marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

CVE-2022-21681

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.

import * as marked from 'marked';

console.log(marked.parse(`[x]: x

\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Release Notes

markedjs/marked

v4.0.10

Compare Source

Bug Fixes
  • security: fix redos vulnerabilities (8f80657)

v4.0.9

Compare Source

Bug Fixes

v4.0.8

Compare Source

Bug Fixes

v4.0.7

Compare Source

Bug Fixes

v4.0.6

Compare Source

Bug Fixes

v4.0.5

Compare Source

Bug Fixes

v4.0.4

Compare Source

Bug Fixes

v4.0.3

Compare Source

Bug Fixes

v4.0.2

Compare Source

Bug Fixes

v4.0.1

Compare Source

Bug Fixes

v4.0.0

Compare Source

Bug Fixes
BREAKING CHANGES
  • Default export removed. Use import { marked } from 'marked' or const { marked } = require('marked') instead.
  • /lib/marked.js removed. Use /marked.min.js in script tag instead.
  • When using marked in a script tag use marked.parse(...) instead of marked(...)

v3.0.8

Compare Source

Bug Fixes

v3.0.7

Compare Source

Bug Fixes
  • use named exports only for ESM build (#​2226)

v3.0.6

Compare Source

Bug Fixes

v3.0.5

Compare Source

Bug Fixes

v3.0.4

Compare Source

Bug Fixes

v3.0.3

Compare Source

Bug Fixes

Configuration

📅 Schedule: Branch creation - "" in timezone America/Chicago, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot requested review from AndresRodH and bpallares as code owners March 7, 2022 13:05
@renovate renovate bot added the security label Mar 7, 2022
@codecov
Copy link

codecov bot commented Mar 7, 2022
edited
Loading

Codecov Report

Merging #169 (4760d80) into main (81a7911) will decrease coverage by 17.30%.
The diff coverage is n/a.

@@             Coverage Diff             @@
##             main     #169       +/-   ##
===========================================
- Coverage   84.61%   67.30%   -17.31%     
===========================================
  Files           1        1               
  Lines          52       52               
  Branches       17       17               
===========================================
- Hits           44       35        -9     
- Misses          4       15       +11     
+ Partials        4        2        -2
Impacted Files Coverage Δ
src/index.ts 67.30% <0.00%> (-17.31%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 81a7911...4760d80. Read the comment docs.

@renovate renovate bot force-pushed the renovate-custom/npm-marked-vulnerability branch from 611f9ba to 6f13808 Compare March 26, 2022 14:36
@renovate renovate bot force-pushed the renovate-custom/npm-marked-vulnerability branch from 6f13808 to 4760d80 Compare April 24, 2022 17:28
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@AndresRodH AndresRodH Awaiting requested review from AndresRodH AndresRodH is a code owner

@bpallares bpallares Awaiting requested review from bpallares

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@cfsdevops