Expecting a new release from `develop` branch to resolve `marked` dependency vulnerabilities
somnathpathak opened this issue · comments
Bug Report
Steps to reproduce
npm install docsify
npm audit
Current behaviour
Bump the marked
devDependency to 4.2.12
in new release
Expected behaviour
Currently, marked
is at 1.2.9
which results in following vulnerabilities:
- Regular Expression Denial of Service (REDoS) in Marked - GHSA-4r62-v4vq-hr96
- Inefficient Regular Expression Complexity in marked - GHSA-rrrm-qjm4-v8hf
- Inefficient Regular Expression Complexity in marked - GHSA-5v2h-r2cx-5xgj
Other relevant information
- Docsify version:
4.13.1
-
Bug still occurs when all/other plugins are disabled?
-
Docsify plugins (if the bug happens when plugins enabled, please try to isolate the issue):
Please create a reproducible sandbox
Mention the docsify version in which this bug was not present (if any)
develop
branch. NOT YET RELEASED.
@jhildenbiddle @QingWei-Li Could you please look into this.
Hi, thanks for getting involved!
Its nice to be up to date with libraries, but if you had an issue with this, you can easily change the offending markup in your markdown.
It would be far more valuable to know what problem you specifically face, if anything, rather than just assuming that posting npm audit
results is always meaningful.
We will release when ready.
In the meantime, if you have an actual problem with a piece of markdown, please open another issue.