react-native-markdown-display icon indicating copy to clipboard operation
react-native-markdown-display copied to clipboard

Published 20 hours ago verified publisher icon iamacup

deps: Update `markdown-it` to fix vulnerability warnings

Open mthahzan opened this issue 1 year ago • 11 comments

As shown on #202 markdown-it v10.x.x includes certain vulnerabilities which were fixed on subsequent versions. This updates the dependency to fix these vulnerabilities.

mthahzan avatar Jan 31 '24 02:01 mthahzan

@iamacup @miallo @RonRadtke kindly merge so that the Synk Vulnerability can be resolved: https://security.snyk.io/vuln/SNYK-JS-MARKDOWNIT-6483324?_gl=1%2a1l4vawo%2a_ga%2aMTkzNjU3NTQyNC4xNjg3MzYxMzIx%2a_ga_X9SH3KP7B4%2aMTcxMTQ3MTc1OS42Ni4xLjE3MTE0NzE3NzUuMC4wLjA.

sainjay avatar Mar 26 '24 16:03 sainjay

@iamacup Can we please fix this security vulmn for the community?

lernerb avatar Apr 05 '24 18:04 lernerb

@mthahzan there is an update to the @types/markdown-it also. Currently it is at 14.0.1 which you haven't included in this PR.

david-gettins avatar Apr 17 '24 10:04 david-gettins

@david-gettins thanks! PR Updated.

Also, I noticed latest version of markdown-it is 14.1.0 now. Didn't have the time to test it out to see if works or not. If someone can verify, I can bump the version of that as well.

mthahzan avatar Apr 17 '24 11:04 mthahzan

Any plans when this will be merged?

lautenschlager-dev avatar Apr 25 '24 08:04 lautenschlager-dev

This vulnerability is still there. Kindly this merged other we'll have to migrate to a different library.

image

sainjay avatar Apr 26 '24 17:04 sainjay

If like myself you would like a temporary workaround for the audit issues you can use force-resolutions to force the fixed version of markdown-it. Just beware there may be compatibility issues, but I haven't come across any yet.

Of course, you can always look for an alternative library. If you find one, please let us all know. I would prefer not to use the forced resolution.

david-gettins avatar Apr 29 '24 10:04 david-gettins

@iamacup ping

sobrinho avatar Jul 10 '24 11:07 sobrinho

Is there any update on this?? @iamacup

javigutierrezfer avatar Aug 06 '24 10:08 javigutierrezfer

@javigutierrezfer i use bun and fixed it by setting the patch version in overrides

"overrides": { "markdown-it": "14.0.0", }

Didn't notice any issues.

sainjay avatar Aug 06 '24 13:08 sainjay

I'm also getting this some upstream issues with markdown-it. Updating this dep might be helpful https://github.com/markdown-it/markdown-it/issues/958 (See linked issue inside, refering to the release of entities and update of that dependency)

sergioisidoro avatar Aug 20 '24 12:08 sergioisidoro