BeeeQueue
Update dependency marked to v4 [SECURITY] - abandoned
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| marked (source) | 2.0.1 -> 4.0.10 |
GitHub Vulnerability Alerts
CVE-2022-21681
Impact
What kind of vulnerability is it?
Denial of service.
The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from 'marked';
console.log(marked.parse(`[x]: x
\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Patches
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
References
Are there any links users can visit to find out more?
- https://marked.js.org/using_advanced#workers
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
For more information
If you have any questions or comments about this advisory:
- Open an issue in marked
CVE-2022-21680
Impact
What kind of vulnerability is it?
Denial of service.
The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from "marked";
marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Patches
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
References
Are there any links users can visit to find out more?
- https://marked.js.org/using_advanced#workers
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
For more information
If you have any questions or comments about this advisory:
- Open an issue in marked
Release Notes
markedjs/marked
v4.0.10
Bug Fixes
- security: fix redos vulnerabilities (8f80657)
v4.0.9
Bug Fixes
v4.0.8
Bug Fixes
v4.0.7
Bug Fixes
v4.0.6
Bug Fixes
v4.0.5
Bug Fixes
v4.0.4
Bug Fixes
v4.0.3
Bug Fixes
v4.0.2
Bug Fixes
v4.0.1
Bug Fixes
v4.0.0
Bug Fixes
BREAKING CHANGES
- Default export removed. Use
import { marked } from 'marked'orconst { marked } = require('marked')instead. -
/lib/marked.jsremoved. Use/marked.min.jsin script tag instead. - When using marked in a script tag use
marked.parse(...)instead ofmarked(...)
v3.0.8
Bug Fixes
v3.0.7
Bug Fixes
- use named exports only for ESM build (#2226)
v3.0.6
Bug Fixes
v3.0.5
Bug Fixes
v3.0.4
Bug Fixes
v3.0.3
Bug Fixes
v3.0.2
Bug Fixes
v3.0.1
Bug Fixes
v3.0.0
Bug Fixes
- Tokenizers lex their own child tokens (#2124) (288f1cb)
- Add module field to package.json (#2143) (edc2e6d)
- Drop node 10 support (#2157) (433b16f)
- Full Commonmark compliance for Lists (#2112) (eb33d3b)
- Refactor table tokens (#2166) (bc400ac)
BREAKING CHANGES
- Drop support for node 10.
- Add module field to package.json
- Tokenizers will create their own tokens with
this.lexer.inline(text, tokens). Theinlinefunction will queue the token creation until after all block tokens are created. - Extensions tokenizer
thisobject will include thelexeras a property.this.inlineTokensbecomesthis.lexer.inline. - Extensions renderer
thisobject will include theparseras a property.this.parseInlinebecomesthis.parser.parseInline. -
tagandinlineTexttokenizer function signatures have changed.
-
nptabletokenizer is removed and merged withtabletokenizer. -
tabletokensheaderproperty changed to contain an array of objects for each header cell withtextandtokensproperties. -
tabletokenscellsproperty changed torowsand is an array of rows where each row contains an array of objects for each cell withtextandtokensproperties.
v2 table token:
{
"type": "table",
"align": [null, null],
"raw": "| a | b |\n|---|---|\n| 1 | 2 |\n",
"header": ["a", "b"],
"cells": [["1", "2"]],
"tokens": {
"header": [
[{ "type": "text", "raw": "a", "text": "a" }],
[{ "type": "text", "raw": "b", "text": "b" }]
],
"cells": [[
[{ "type": "text", "raw": "1", "text": "1" }],
[{ "type": "text", "raw": "2", "text": "2" }]
]]
}
}
v3 table token:
{
"type": "table",
"align": [null, null],
"raw": "| a | b |\n|---|---|\n| 1 | 2 |\n",
"header": [
{
"text": "a",
"tokens": [{ "type": "text", "raw": "a", "text": "a" }]
},
{
"text": "b",
"tokens": [{ "type": "text", "raw": "b", "text": "b" }]
}
],
"rows": [
{
"text": "1",
"tokens": [{ "type": "text", "raw": "1", "text": "1" }]
},
{
"text": "2",
"tokens": [{ "type": "text", "raw": "2", "text": "2" }]
}
]
}
v2.1.3
Bug Fixes
v2.1.2
Bug Fixes
v2.1.1
Bug Fixes
v2.1.0
Features
v2.0.7
Bug Fixes
v2.0.6
Bug Fixes
v2.0.5
Bug Fixes
v2.0.4
Bug Fixes
v2.0.3
Bug Fixes
v2.0.2
Bug Fixes
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
Edited/Blocked Notification
Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.
You can manually request rebase by checking the rebase/retry box above.
⚠ Warning: custom changes will be lost.
Autoclosing Skipped
This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.