@hackmd/meta-marked is vulnerable

[tamo]

trafficstars

Use more recent marked. 0.6.2 is vulnerable.

This can DOS-attack CodiMD.

You can use 0.7.0.

Comparing @hackmd with the original, I don't think you need to stick to the old version.

You should do "npm audit" more often.

[tamo]

I tested marked-0.8.2 by specifying "0.x" in meta-marked's package.json and it looks working well.