Skip to content

Upgrade to latest marked@4.1.0#336

Open
stvansolano wants to merge 4 commits into
storybookjs:masterfrom
stvansolano:master
Open

Upgrade to latest marked@4.1.0#336
stvansolano wants to merge 4 commits into
storybookjs:masterfrom
stvansolano:master

Conversation

@stvansolano

@stvansolano stvansolano commented Sep 8, 2022

Copy link
Copy Markdown

Fixes Inefficient Regular Expression Complexity already fixed in marked library
GHSA-5v2h-r2cx-5xgj

marked  <=4.0.9
Severity: high
Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-5v2h-r2cx-5xgj
Marked ReDoS due to email addresses being evaluated in quadratic time - https://github.com/advisories/GHSA-xf5p-87ch-gxw2
No fix available
node_modules/marksy/node_modules/marked
  marksy  *
  Depends on vulnerable versions of marked
  node_modules/marksy

CC @jimmyandrade @christianalfoni @ndelangen @Hypnosphi

@OleksiiFomazov

Copy link
Copy Markdown

Please review this PR, can't upgrade to the latest version as they are not compatible

WindowsTerminal_OBB6r3ueSL
WindowsTerminal_GQU4Zvtza7 (1)

@Hypnosphi Hypnosphi self-requested a review April 25, 2023 12:25
@socket-security

Copy link
Copy Markdown

New dependency changes detected. Learn more about Socket for GitHub ↗︎


👍 No new dependency issues detected in pull request

Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

Pull request alert summary
Issue Status
Install scripts ✅ 0 issues
Native code ✅ 0 issues
Bin script confusion ✅ 0 issues
Bin script shell injection ✅ 0 issues
Shell access ✅ 0 issues
Uses eval ✅ 0 issues
Unresolved require ✅ 0 issues
Invalid package.json ✅ 0 issues
HTTP dependency ✅ 0 issues
Git dependency ✅ 0 issues
GitHub dependency ✅ 0 issues
New author ✅ 0 issues
Potential typo squat ✅ 0 issues
Known Malware ✅ 0 issues
Telemetry ✅ 0 issues
Protestware/Troll package ✅ 0 issues

📊 Modified Dependency Overview:

⬆️ Updated Package Version Diff Added Capability Access +/- Transitive Count Publisher
marked@4.3.0 1.2.3...4.3.0 None +0/-0 tonybrix

@Hypnosphi

Copy link
Copy Markdown
Member

@stvansolano please make yarn test pass

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants