This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
marked (source)	`0.3.18` -> `4.0.10`

GitHub Vulnerability Alerts

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings. PoC is the following.

import * as marked from 'marked';

console.log(marked.parse(`[x]: x

\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

https://marked.js.org/using_advanced#workers
https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

For more information

If you have any questions or comments about this advisory:

Open an issue in marked

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression block.def may cause catastrophic backtracking against some strings. PoC is the following.

import * as marked from "marked";

marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

https://marked.js.org/using_advanced#workers
https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

For more information

If you have any questions or comments about this advisory:

Open an issue in marked

Convert to ESM (#2227) (4afb228)

BREAKING CHANGES

Default export removed. Use import { marked } from 'marked' or const { marked } = require('marked') instead.
/lib/marked.js removed. Use /marked.min.js in script tag instead.
When using marked in a script tag use marked.parse(...) instead of marked(...)

`v3.0.8`

Compare Source

Bug Fixes

walkTokens uses marked as this (#2251) (2da5885)

`v3.0.7`

Compare Source

Bug Fixes

use named exports only for ESM build (#2226)

`v3.0.6`

Compare Source

Bug Fixes

Remove esm interop (#2225) (4bc9121)

`v3.0.5`

Compare Source

Bug Fixes

Expose named exports for ESM build (#2223) (3959651)

`v3.0.4`

Compare Source

Bug Fixes

fix detection of orphaned emStrong delimiters (#2203) (7792adc)

`v3.0.3`

Compare Source

Bug Fixes

fix space at end of table line (#2201) (910f0f0)

`v3.0.2`

Compare Source

Bug Fixes

stop table at lines with only whitespace (#2188) (21268ab)

`v3.0.1`

Compare Source

Bug Fixes

fix gfm urls after link (#2186) (e03b5c1)

`v3.0.0`

Compare Source

Bug Fixes

Tokenizers lex their own child tokens (#2124) (288f1cb)
Add module field to package.json (#2143) (edc2e6d)
Drop node 10 support (#2157) (433b16f)
Full Commonmark compliance for Lists (#2112) (eb33d3b)
Refactor table tokens (#2166) (bc400ac)

BREAKING CHANGES

Drop support for node 10.
Add module field to package.json

Tokenizers will create their own tokens with this.lexer.inline(text, tokens). The inline function will queue the token creation until after all block tokens are created.
Extensions tokenizer this object will include the lexer as a property. this.inlineTokens becomes this.lexer.inline.
Extensions renderer this object will include the parser as a property. this.parseInline becomes this.parser.parseInline.
tag and inlineText tokenizer function signatures have changed.

nptable tokenizer is removed and merged with table tokenizer.
table tokens header property changed to contain an array of objects for each header cell with text and tokens properties.
table tokens cells property changed to rows and is an array of rows where each row contains an array of objects for each cell with text and tokens properties.

v2 table token:

{
  "type": "table",
  "align": [null, null],
  "raw": "| a | b |\n|---|---|\n| 1 | 2 |\n",
  "header": ["a", "b"],
  "cells": [["1", "2"]],
  "tokens": {
    "header": [
      [{ "type": "text", "raw": "a", "text": "a" }],
      [{ "type": "text", "raw": "b", "text": "b" }]
    ],
    "cells": [[
      [{ "type": "text", "raw": "1", "text": "1" }],
      [{ "type": "text", "raw": "2", "text": "2" }]
    ]]
  }
}

v3 table token:

{
  "type": "table",
  "align": [null, null],
  "raw": "| a | b |\n|---|---|\n| 1 | 2 |\n",
  "header": [
    {
      "text": "a",
      "tokens": [{ "type": "text", "raw": "a", "text": "a" }]
    },
    {
      "text": "b",
      "tokens": [{ "type": "text", "raw": "b", "text": "b" }]
    }
  ],
  "rows": [
    {
      "text": "1",
      "tokens": [{ "type": "text", "raw": "1", "text": "1" }]
    },
    {
      "text": "2",
      "tokens": [{ "type": "text", "raw": "2", "text": "2" }]
    }
  ]
}

`v2.1.3`

Compare Source

Bug Fixes

update commonmark spec to v0.30 (#2113) (62d6a0e)

`v2.1.2`

Compare Source

Bug Fixes

add Node.js 10 to CI and loosen engines field (#2119) (8659353)

`v2.1.1`

Compare Source

Bug Fixes

fix node v12 (#2109) (af14068)

`v2.1.0`

Compare Source

Features

Custom Tokenizer/Renderer extensions (#2043) (5be9d6d)

`v2.0.7`

Compare Source

Bug Fixes

em strong (#2075) (825a9f8)

`v2.0.6`

Compare Source

Bug Fixes

fix autolink email after single space (#2073) (6c9a899)

`v2.0.5`

Compare Source

Bug Fixes

call walkTokens when calling marked with a callback(#2060) (1d97308)

`v2.0.4`

Compare Source

Bug Fixes

Fix indented markdown in html (#2052) (6435ac9)

`v2.0.3`

Compare Source

Bug Fixes

actually add a type property to the def token (#2002) (47e65cf)

`v2.0.2`

Compare Source

Bug Fixes

add type property on def token (#2001) (009427f)

`v2.0.1`

Compare Source

Bug Fixes

fix items between lists (#1936) (46cdfc1)

`v2.0.0`

Compare Source

Bug Fixes

Join adjacent inlineText tokens (#1926) (f848e77)
Total rework of Emphasis/Strong (#1864) (7293251)

BREAKING CHANGES

em and strong tokenizers have been merged into one emStrong tokenizer.
code and text tokenizers do not get passed all tokens as a second parameter.
No longer supporting IE 11. IE 11 may still work but we are not committed to making sure it works with every update. We still provide an es5 version in lib/marked.js but some pollyfills may be needed for IE 11 in the future.

`v1.2.9`

Compare Source

Bug Fixes

allow sublist to be single space in pedantic (#1924) (1e36afd)

`v1.2.8`

Compare Source

Bug Fixes

leave whitespace only lines alone (#1889) (53c79ee)

`v1.2.7`

Compare Source

Bug Fixes

Replace use of startsWith and endsWith with regex for IE11 (#1877) (4fdde20), closes #1876

`v1.2.6`

Compare Source

Bug Fixes

fix atx heading and make regex safe (#1853) (70ee29c) possible breaking change: When using the block.heading rule the text provided in capture group 2 will not be trimmed of whitespace.
fix link with angle brackets around href (#1851) (656c3e4)

`v1.2.5`

Compare Source

Bug Fixes

fix em and strong starting with special char (#1832) (f9bc93b)
task lists not rendered when GFM is disabled (#1825) (3942e89), closes #1823

`v1.2.4`

Compare Source

Bug Fixes

no strikethrough on different number of tildes (#1821) (d79f210)

Possible Breaking Change: When using the inline.del rule the text is provided in capture group 2 instead of 1.

`v1.2.3`

Compare Source

Bug Fixes

list alignment (#1810) (5f9cafd)

`v1.2.2`

Compare Source

Bug Fixes

remove string.repeat for ie11 (#1772) (2707070)

`v1.2.1`

Compare Source

re-release of v 1.1.2 since semantic release picked up the wrong version

`v1.2.0`

Compare Source

Features

Add dry run capabilities to default slugger #1728
Parse inline #1761

Fixes

Fix html comments #1739
Fix line break #1746
Fix indented tables to follow gfm spec #1748
Fix underscore adjacent to asterisk #1755

Dependencies

Regenerate lock file #1736

Documentation

Add api dingus for babelmark #1742
Update docs to use static build step and clean URLs via Vercel #1749

`v1.1.2`

Compare Source

Bug Fixes

fix indented code in list item (#1762) (6355ac2)

`v1.1.1`

Compare Source

Fixes

Fix image links with escaped brackets #1683
Fix async highlight not async #1685
Fix ordered lists that use ) delimiter #1704
Pass many more Em and Strong tests #1686 (Thanks @calculuschild)

Docs

Add favicon #1710
Decode hash #1712
Clarify level of support for Markdown flavors #1720
Fix quick ref #1729

Scripts

Add npm run rules #1726

`v1.1.0`

Compare Source

Features

Add walkTokens option #1664

Fixes

Fix renderer.code includes space at beginning of each line of code #1645
Fix codespan newline #1652
Fix comma after underscore emphasis #1660
Fix loose task list with no tokens #1674
Add browser field in package.json pointing to es5 output #1661
Add newline to rendered code with language #1670
Fix async highlighter walking all tokens #1664

Docs

Add tokenizer to option docs #1662

`v1.0.0`

Compare Source

Breaking changes

Add inline tokens to marked.lexer output #1627
Treat escape token same way as plain text tokens #1642
Add Tokenizer to allow extending token creation #1637

Features

Add marked.use() method to extend options #1646

Fixes

Fix intra-word emphasis can match the wrong asterisks #1636
Fix italics modifier (_) breaks links containing underscores #1641
Fix closing delimited * incorrect for consecutive ocurrences #1644

Docs

Fix lexer data token in demo #1638

CI

Move to GitHub Actions #1635
Update devDependencies #1648

`v0.8.2`

Compare Source

Fixes

Add html to TextRenderer for html in headings #1622
Remove html tags in heading ids #1622

Docs

Update comment about GitHub breaks #1620

`v0.8.1`

Compare Source

Fixes

Fix marked --help #1588
Fix GFM Example 116 code fences #1600
Send inline html to renderer #1602 (fixes #1601)
Improve docs example for invoking highlight.js #1603
Fix block-level elements breaking tables #1598 (fixes #1467)
break nptables on block-level structures #1617

`v0.8.0`

Compare Source

Breaking changes

Remove substitutions #1532
Separate source into modules #1563 #1572 #1573 #1575 #1576 #1581

Fixes

Fix relative urls in baseUrl option #1526
Loose task list #1535
Fix image parentheses #1557
remove module field & update devDependencies #1581

Docs

Update examples with es6+ #1521
Fix link to USING_PRO.md page #1552
Fix typo in USING_ADVANCED.md #1558
Node worker threads are stable #1555

Dev Dependencies

Update deps #1516
Update eslint #1542
Update htmldiffer async matcher #1543

`v0.7.0`

Compare Source

Security

Sanitize paragraph and text tokens #1504
Fix ReDOS for links with backticks (issue #1493) #1515

Breaking Changes

Deprecate sanitize and sanitizer options #1504
Move fences to CommonMark #1511
Move tables to GFM #1511
Remove tables option #1511
Single backtick in link text needs to be escaped #1515

Fixes

Fix parentheses around a link #1509
Fix headings (issue #1510) #1511

Tests

Run tests with correct options #1511

`v0.6.3`

Compare Source

Fixes

Fix nested blockquotes #1464
Fix <em> issue with mixed content #1451
revert #1464 #1497
Fix breaks: true #1507

Docs

add docs for workers #1432
Add security policy #1492
Update supported spec versions #1491
Update test folder descriptions #1506

DevOps

Use latest commit for demo master #1457
Update tests to commonmark 0.29 #1465
Update tests to GFM 0.29 #1470
Fix commonmark spec 57 and 40 (headings) #1475

`v0.6.2`

Compare Source

Security

Link redos #1426
Text redos #1460

Fixes

Links parens #1435
New line after table with escaped pipe #1439
List item tables #1446

Enhancements

Pass token boolean to the listitem function #1440
Allow html without \n after #1438

CLI

Update man page to include --test and fix argv parameters #1442
Add a --version flag to print marked version #1448

Testing

Normalize marked tests #1444
Update tests to node 4 syntax #1449

`v0.6.1`

Compare Source

Fixes

Fix parenthesis url redos #1414

Docs

Update demo site to use a worker #1418
Update devDependencies to last stable #1409
Update documentation about extending Renderer #1417
Remove --save option as it isn't required anymore #1422
Add snyk badge #1420

`v0.6.0`

Compare Source

Breaking Changes

Drop support for Node v0.10 and old browsers such as Internet Explorer
- You should not have any problems if using Node 4+ or a modern browser
Add parameter slugger to Renderer.prototype.heading method #1401
- You should not have any problems if you do not override this method

New Features

Add new export marked.Slugger #1401

Fixes

Fix emphasis followed by a punctuation #1383
Fix bold around autolink email address #1385
Make autolinks case insensitive #1384
Make code fences compliant with Commonmark spec #1387
Make blockquote paragraph continuation compliant with Commonmark spec #1394
Make ordered list marker length compliant with Commonmark spec #1391
Make empty list items compliant with Commonmark spec #1395
Make tag escaping compliant with Commonmark spec #1397
Make strong/bold compliant with Commonmark spec #1400
Fix handling of adjacent lists #684
Add better error handling when token type cannot be found #1005
Fix duplicate heading id and non-latin characters #1401

CLI

Pretty print ENOENT errors on cli #1396
Update repo url in man #1403

Docs

Fix breaks option description #1381
Update docs to include "Since" version #1382
Add defibrillator badge for @mccraveiro #1392

Tests

Remove old test covered by gfm/cm #1389

`v0.5.2`

Compare Source

Bug Fixes

Fix emphasis closing by single _ (part of left-flanking run) #1351
Make URL handling consistent between links and images #1359

Other

Add missing semicolons, add lint rule #1340
Make Steven (@styfle) a npm publisher #1346
Fix typo in docs: responsibility #1364
Add the ability to specify options on the demo page as JSON #1357
- Show red border when JSON options are invalid #1360
Move license file back to root dir #1356
Fix builds: remove node v0.10 from travis matrix #1366
- This does not a break compatibility in this release but it will a future release
Add files key to package.json to prevent publishing unused files #1367

`v0.5.1`

Compare Source

Security

Fix inline code regex and prevent REDOS #1337
Use @markedjs/html-differ to prevent REDOS #1331

Bug Fixes

Fix typographic substitution in (pre|code|kbd|script) blocks when smartypants=true #1335
Fix auto-linking email address #1338

Other

Refactor the escape() function to improve performance 10-20% #975
Update copyright in source code #1326
Update benchmark tests #1019
Add dependency badges to readme #1333

`v0.5.0`

Compare Source

Security

Use rtrim, not unsafe /X+$/ #1260

Breaking Changes

Fix GFM empty table cells #1262
Fix GFM extended auto-linking requiring multiple backpedals #1293
Fix GFM strikethrough compatibility #1258
Fix issues link references and prototypes #1299
Fix hard line break when backslash at EOL #1303
Fix hyperlinks with parenthesis #1305
Fix loose lists #1304
Fix strong and em #1315

Docs

Fix typo in USING_ADVANCED.md #1276
Add pictures to AUTHORS.md #1272
Change badge to latest version of marked #1300
Change badges from shields.io to badgen.net #1317
Use iframe to sandbox generated html #1295
Add additional links into readme #1310
Add missing parameters for renderer methods #1311
Add undocumented option descriptions #1312
Add navigation sidebar to the docs #1316

CI

Change travis clone depth to 3 #1270

`v0.4.0`

Compare Source

Security Fixes

Fix unsafe heading regex (#1224)
Fix unsafe link regex (#1223, #1227)

New Features

Add option to disable heading ids (#1190)
Add support for GFM Task Lists to comply with the GFM spec (#1250)

Breaking Changes

Fix escaping pipes in tables (#1239)
Fix html output for tables to match GFM spec (#1245)
Fix many bugs to reach parity with CommonMark spec (#1135)
Fix new Renderer() so it uses default options (#1203)
Fix text and paragraph return types (#1248) (#1249)
Fix <em> less than 3 chars (#1181)
Fix <pre> code blocks so there is no more trailing \n (#1266)
Fix default langPrefix to follow CommonMark standard language- (#1265)

CLI Changes

Add string argument to CLI (#1182)
Change CLI stdio to remove warning (#994)

Other changes

Lint all the things (#1185)
Improved testing and DevOps (#1160, #1210, #1220, #1228, #1219, #1256)
Update documentation and demos (#1196, #1197, #1204, #1207, #1221, #1233, #1217, #1240, #1244, #1253)

`v0.3.19`

Compare Source

0.3.18 did not have changes to min.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by Mend Renovate. View repository job log here.

Jan 14 '22 21:01 renovate[bot]

Codecov Report

Merging #5164 (a185b53) into next (26f1b98) will not change coverage. The diff coverage is n/a.

@@           Coverage Diff           @@
##             next    #5164   +/-   ##
=======================================
  Coverage   31.03%   31.03%           
=======================================
  Files           6        6           
  Lines         232      232           
  Branches       50       50           
=======================================
  Hits           72       72           
  Misses        154      154           
  Partials        6        6

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

Jan 14 '22 21:01 codecov[bot]

Renovate Ignore Notification

As this PR has been closed unmerged, Renovate will ignore this upgrade and you will not receive PRs for any future 4.x releases. However, if you upgrade to 4.x manually then Renovate will reenable minor and patch updates automatically.

If this PR was closed by mistake or you changed your mind, you can simply rename this PR and you will soon get a fresh replacement PR opened.

Sep 01 '22 03:09 renovate[bot]

This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

Sep 02 '23 00:09 github-actions[bot]

ant-design-vue ant-design-vue copied to clipboard

chore(deps): update dependency marked to v4 [security]

GitHub Vulnerability Alerts

Impact

Patches

Workarounds

References

For more information

Impact

Patches

Workarounds

References

For more information

Recommendation

Release Notes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

BREAKING CHANGES

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

BREAKING CHANGES

Bug Fixes

Bug Fixes

Bug Fixes

Features

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

BREAKING CHANGES

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Features

Fixes

Dependencies

Documentation

Bug Fixes

Fixes

Docs

Scripts

Features

Fixes

Docs

Breaking changes

Features

Fixes

Docs

CI

Fixes

Docs

Fixes

Breaking changes

Fixes

Docs

ant-design-vue
ant-design-vue copied to clipboard