Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency marked to v0.3.18 [SECURITY] #42

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency marked to v0.3.18 [SECURITY] #42

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Jun 3, 2019
edited
Loading

This PR contains the following updates:

Package Type Update Change
marked (source) dependencies patch 0.3.5 -> 0.3.18

GitHub Vulnerability Alerts

CVE-2017-17461

A Regular expression Denial of Service (ReDoS) vulnerability in the file marked.js of the marked npm package (tested on version 0.3.7) allows a remote attacker to overload and crash a server by passing a maliciously crafted string.

CVE-2017-1000427

marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser.

CVE-2017-16114

The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.

CVE-2016-10531

marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (sanitize: true) to inject a javascript: URL. This flaw exists because &#xNNanything; gets parsed to what it could and leaves the rest behind, resulting in just anything; being left.

GHSA-xf5p-87ch-gxw2 / WS-2019-0027

Versions 0.3.17 and earlier of marked has Four regexes were vulnerable to catastrophic backtracking. This leaves markdown servers open to a potential REDOS attack.

GHSA-8wp3-cp9v-44fm / WS-2019-0026

Versions 0.3.7 and earlier of marked unescape only lowercase while owsers support both lowercase and uppercase x in hexadecimal form of HTML character entity

GHSA-wjmf-58vc-xqjr / WS-2019-0025

Versions 0.3.7 and earlier of marked When mangling is disabled via option mangle don't escape target href. This allow attacker to inject arbitrary html-event into resulting a tag.

Release Notes

markedjs/marked

v0.3.18

Compare Source

  • Supported Markdown flavors: CommonMark 0.28 and GitHub Flavored Markdown 0.28
  • Updates to our CI pipeline; we're all green! #​1098 with the caveat that there is a test that needs to get sorted (help us out #​1092)
  • Start ordered lists using the initial numbers from markdown lists (#​1144)
  • Added GitHub Pages site for documentation https://marked.js.org/ (#​1138)

v0.3.17

Compare Source

  • The elephant in the room: A security vulnerability was discovered and fixed. Please note, if something breaks due to these changes, it was not our intent, and please let us know by submitting a PR or issue to course correct (the nature of the zero-major release and having security as a number one priority) #​1083
  • The other elephant in the room: We missed publishing a 0.3.16 release to GitHub; so, trying to make up for that a bit.
  • Updates to the project documentation and operations, you should check it out, just start with the README and you should be good.
  • New release PR template available #​1076
  • Updates to default PR and Issue templates #​1076
  • Lint checks + tests + continuous integration using Travis #​1020
  • Updated testing output #​1085 & #​1087

v0.3.16

Compare Source

v0.3.15

Compare Source

Fixes unintended breaking change from v0.3.14

v0.3.14

Compare Source

  • Marked has a new home under the MarkedJS org! Other advances soon to come.
  • Updated minifier.
  • Various parser fixes

v0.3.13

Compare Source

v0.3.12

Compare Source

  • Addresses issue where some users might not have been able to update due to missing use strict #​991
  • Parser fix #​977
  • New way to perform tests with options and running individual tests #​1002
  • Improved test cases
  • Improved links

v0.3.9

Compare Source

We think with this version we have addressed most, if not all, known security vulnerabilities. If you find more, please let us know.

v0.3.7

Compare Source

Should fix XSS issue discovered.

v0.3.6

Compare Source

Renovate configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch from 3fbc1ba to 0f11b5e Compare June 5, 2019 14:11
@renovate renovate bot changed the title Update dependency marked to v0.3.9 [SECURITY] Update dependency marked to v0.3.18 [SECURITY] Jun 5, 2019
@gjvis gjvis mentioned this pull request Apr 19, 2022
Open
@gjvis gjvis mentioned this pull request Jun 20, 2022
Open
This was referenced Jun 24, 2022
Open
Open
@gjvis gjvis mentioned this pull request Jul 15, 2022
Open
@snyk-bot snyk-bot mentioned this pull request Jul 29, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@renovate-bot