Vulnerability in the package

Question

Vulnerability in the package

juanjoDiaz opened this issue 5 years ago · comments

Reported by npm audit

│ Moderate │ Regular Expression Denial of Service │
│ Package │ underscore.string │
│ Patched in │ >=3.3.5 │
│ Dependency of │ markdown-magic [dev] │
│ Path │ markdown-magic > markdown-toc > remarkable > argparse > │
│ │ underscore.string │
│ More info │ https://npmjs.com/advisories/745 │

Myles · Answer 1 · Sat Jul 27 2019 03:22:44 GMT+0800 (China Standard Time)

I can confirm this as well, showing on mine that i'm using for generating awesome list https://github.com/tripflex/awesome-mongoose-os

David Wells · Answer 2 · Sat Jul 27 2019 05:22:03 GMT+0800 (China Standard Time)

Thanks for the report

Do you know if this is fixed upstream in these markdown-toc > remarkable > argparse?

Forresst · Answer 3 · Sat Jul 27 2019 14:34:16 GMT+0800 (China Standard Time)

Here is the current state:

argparse: no longer uses underscore since February 19, 2015 (version 1.0.0)

remarkable: a version change was made from 0.1.15 to 1.0.10 on July 21, 2019 but remarkable was not versioned (only the master contains the modification)

markdown-toc: uses remarkable (version 1.7.1) since version 1.0.0 of markdown-toc. Note: markdown-toc has an issue for this vulnerability

David Wells · Answer 4 · Sun Jul 28 2019 00:37:25 GMT+0800 (China Standard Time)

Thanks for the insight!

How can we fix this? (Hopefully without forking and maintaining all the upstream deps?)

Are folks using markdown-magic on a server where this ddos vulnerability would be an issue?

David Wells · Answer 5 · Tue Jun 29 2021 10:08:57 GMT+0800 (China Standard Time)

Fixed with markdown-magic@2.3.0