Security vulnerability found in marked dependency
roback opened this issue · comments
The version we have installed is 0.3.19, https://nodesecurity.io/advisories/812 has been fixed in >=0.6.2.
$ npm audit
=== npm audit security report ===
# Run npm install --save-dev marked@0.6.2 to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ marked │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ marked [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ marked │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/812 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ marked │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jsdoc [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ jsdoc > marked │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/812 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 2 moderate severity vulnerabilities in 80 scanned packages
run `npm audit fix` to fix 1 of them.
1 vulnerability requires manual review. See the full report for details.
There is an upstream issue for this at jsdoc/jsdoc#1634, which should be fixed by jsdoc/jsdoc#1633. No idea when it will be released though.
When a new version of jsdoc is released we should also remove the fix that was made in 209104f as that isn't needed anymore. It's the cause behind the first vulnerability above. Edit: Fixed in #35
When a new version of jsdoc is released we should also remove the fix that was made in 209104f as that isn't needed anymore. It's the cause behind the first vulnerability above.
I think we can remove it now instead as it seems to work without it.
jsdoc seem to be somewhat semi-dead, maybe https://github.com/documentationjs/documentation cold be an alternative - not sure how migration would look though
Another option could be to just drop the feature to be able to generate documentation. I would assume it to be pretty much unused :)