marksy icon indicating copy to clipboard operation
marksy copied to clipboard

Published 20 hours ago • verified publisher icon storybookjs

Current version of `marked` creates npm audit issue

Open joehuanguf opened this issue 5 years ago • 10 comments

npm is giving me a security issue with the current version of the marked dependency. It recommends that we upgrade to 0.7.0.

Screen Shot 2019-07-25 at 1 27 14 PM

joehuanguf avatar Jul 25 '19 20:07 joehuanguf

Related: https://github.com/storybookjs/marksy/commit/2e7f73f59d3ef9ede8a4b1888c1c05fea0d20566

fabb avatar Jul 30 '19 09:07 fabb

@fabb I see that marked has been downgraded but the issue has been fixed in the 0.7.0 patch

lukemarsh avatar Aug 02 '19 13:08 lukemarsh

Yes. When marked is upgraded, the linked issue with sanitized inline elements will need fixing.

fabb avatar Aug 02 '19 13:08 fabb

@fabb I found that marked has been downgraded at version 8.0.0. But @storybook/addon-info still use ^7.0.0. It's also not works. 😭

XGHeaven avatar Aug 19 '19 09:08 XGHeaven

marked is at 0.8.0 now. is it possible to upgrade marked version in package.json?

ranand avatar Feb 14 '20 19:02 ranand

marked is at 0.8.0 now. is it possible to upgrade marked version in package.json?

Any word on this?

TheresaBeckerLR avatar Apr 10 '20 15:04 TheresaBeckerLR

Hi there!

Version 0.8.0 breaks a lot of tests and needs to be reviewed. I have a bit too much on my plate these days, but will look at it if I get a chance! 😄

christianalfoni avatar Apr 11 '20 14:04 christianalfoni

any update on this?

ilias-t avatar Jun 04 '20 23:06 ilias-t

https://github.com/storybookjs/marksy/pull/98 should patch this up. The test failures were b/c of the CI configuration.

patsplat avatar Sep 02 '20 13:09 patsplat

Could you please update the following package due to vulnerabilities: marked to 4.0.10 or greater

This will resolve the vulnerability in marked (See CVE).

nikkypyra avatar Oct 04 '22 14:10 nikkypyra