Expecting a new release from `develop` branch to resolve `marked` dependency vulnerabilities

Question

Expecting a new release from `develop` branch to resolve `marked` dependency vulnerabilities

somnathpathak opened this issue 5 months ago · comments

Somnath Pathak commented 5 months ago

Bug Report

Steps to reproduce

npm install docsify
npm audit

Current behaviour

Bump the marked devDependency to 4.2.12 in new release

Expected behaviour

Currently, marked is at 1.2.9 which results in following vulnerabilities:

Regular Expression Denial of Service (REDoS) in Marked - GHSA-4r62-v4vq-hr96
Inefficient Regular Expression Complexity in marked - GHSA-rrrm-qjm4-v8hf
Inefficient Regular Expression Complexity in marked - GHSA-5v2h-r2cx-5xgj

Other relevant information

Docsify version: 4.13.1

Bug still occurs when all/other plugins are disabled?
Docsify plugins (if the bug happens when plugins enabled, please try to isolate the issue):

Please create a reproducible sandbox

Mention the docsify version in which this bug was not present (if any)

develop branch. NOT YET RELEASED.

Somnath Pathak · Answer 1 · Thu Feb 15 2024 18:10:01 GMT+0800 (China Standard Time)

@jhildenbiddle @QingWei-Li Could you please look into this.

Joe Pea · Answer 2 · Fri Feb 16 2024 04:15:56 GMT+0800 (China Standard Time)

Hi, thanks for getting involved!

Its nice to be up to date with libraries, but if you had an issue with this, you can easily change the offending markup in your markdown.

It would be far more valuable to know what problem you specifically face, if anything, rather than just assuming that posting npm audit results is always meaningful.

We will release when ready.

In the meantime, if you have an actual problem with a piece of markdown, please open another issue.