marked-element icon indicating copy to clipboard operation
marked-element copied to clipboard
verified publisher icon PolymerElements

Npm audit security report shows marked library security vulnerability

Open jarrodek opened this issue 6 years ago • 3 comments

The result of running npm audit command on any of hundreds of my components:

                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ marked                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.6.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @polymer/iron-component-page [dev]                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @polymer/iron-component-page > @polymer/iron-doc-viewer >    │
│               │ @polymer/marked-element > marked                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/812                             │
└───────────────┴──────────────────────────────────────────────────────────────┘

I also use this element directly, not only through iron-component-page.

I tried to fork the repo and upgrade the version but tests fails. I am not sure what was intention so I will leave it up to you to fix this. I hope it can be fixed as my security team will definitely notice alerts very soon :)

jarrodek avatar Apr 19 '19 14:04 jarrodek

I will take a look at upgrading and discuss with the Polymer team about what the plan is for this. It appears there are breaking changes between 0.3 and 0.6.

stramel avatar Apr 19 '19 14:04 stramel

Any update on this?

jarrodek avatar May 17 '19 18:05 jarrodek

Vulnerability for nested package "marked" has been resolved in the upgrade version.

For more information - https://snyk.io/test/npm/@polymer/marked-element https://snyk.io/test/npm/marked/4.0.12

Team, can you please check if this can be upgraded. It should resolve almost all vulnerabilities.

navalamol avatar Feb 16 '22 09:02 navalamol