Vulnerability in the package
juanjoDiaz opened this issue · comments
Reported by npm audit
│ Moderate │ Regular Expression Denial of Service │
│ Package │ underscore.string │
│ Patched in │ >=3.3.5 │
│ Dependency of │ markdown-magic [dev] │
│ Path │ markdown-magic > markdown-toc > remarkable > argparse > │
│ │ underscore.string │
│ More info │ https://npmjs.com/advisories/745 │
I can confirm this as well, showing on mine that i'm using for generating awesome list https://github.com/tripflex/awesome-mongoose-os
Thanks for the report
Do you know if this is fixed upstream in these markdown-toc > remarkable > argparse
?
Here is the current state:
argparse: no longer uses underscore since February 19, 2015 (version 1.0.0)
remarkable: a version change was made from 0.1.15 to 1.0.10 on July 21, 2019 but remarkable was not versioned (only the master contains the modification)
markdown-toc: uses remarkable (version 1.7.1) since version 1.0.0 of markdown-toc. Note: markdown-toc has an issue for this vulnerability
Thanks for the insight!
How can we fix this? (Hopefully without forking and maintaining all the upstream deps?)
Are folks using markdown-magic on a server where this ddos vulnerability would be an issue?
Fixed with markdown-magic@2.3.0