Perceived vulnerability (uncontrolled resource consumption) related to `showdown`

[tyner]

When Sonatype scans shiny (version 1.10.0 and also previous ones), sonatype-2018-0667 comes up:

The showdown package is vulnerable to Regular Expression Denial of Service (ReDoS) attacks. The hashHTMLBlocks parser defined in the hashHTMLBlocks.js file uses an unsafe regular expression to parse standalone HTML comments in user-supplied markdown. A remote attacker can exploit this vulnerability with markdown containing crafted HTML comments. This will result in catastrophic backtracking, causing affected applications to hang as they attempt to process the markdown.

For more information, refer to: https://github.com/meteor/meteor/issues/9731 https://github.com/showdownjs/showdown/issues/276

[gadenbuie]

Thanks for letting us know. The impact here is minimal, we only use showdown in a special app mode and only to render README.md files written by the app author. We do not use showdown to render arbitrary input from app users. Still, we should be able to remove the dependency on showdown entirely, see #4202.