New release - marked vulnerability alert

[noraj]

It would be nice to have a new release of dosify including the current work.

Indeed, last release is v4.13.1 from Jun 24, 2023. What's annoying is that docsify v4.13.1 was using marked v1.2.9

https://github.com/docsifyjs/docsify/blob/862b10053879386a48ab34c21d7ca648483be738/package.json#L68

So any project using docsify on github right now, have 3 vulnerability alerts opened:

• GHSA-5v2h-r2cx-5xgj - Inefficient Regular Expression Complexity in marked - CVE-2022-21681
  • ex: https://github.com/noraj/unisec/security/dependabot/5
• GHSA-4r62-v4vq-hr96 - Regular Expression Denial of Service (REDoS) in Marked - CVE-2021-21306
  • ex: https://github.com/noraj/unisec/security/dependabot/3
• GHSA-rrrm-qjm4-v8hf - Inefficient Regular Expression Complexity in marked - CVE-2022-21680
  • ex: https://github.com/noraj/unisec/security/dependabot/4

Even if not really vulnerable, that makes tons of projects receiving 3 false positive vulnerability alerts. And since no newer release is available, one can't "path" other than dismissing the alert.

It's already fixed since now docsify uses marked v14.1.0, we just are lacking a newer release.

https://github.com/docsifyjs/docsify/blob/ceb466ca9c29bec775f4ebda449f8ea40a5453df/package.json#L73C6-L73C13

[Koooooo-7]

Hi @noraj , thx for you mention on this. The new release may take a time to confirm with the members. I will sync with you when the release decision set done asap.

[asinghal]

hi, any news on this? it will be good to have the updated dependency for marked published asap.

[sy-records]

Planned release in the near future.

[adamlui]

You should just release it now because it makes other popupar repos that add docsify as dependency appear vulnerable when ppl clone them and see the red and yellow warnings, also encourages ppl to remove as dependency to make scaring own users go away, whatever is blocking release for half a year now should just be saved for another one