Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deps: Update markdown-it to fix vulnerability warnings #204

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

deps: Update markdown-it to fix vulnerability warnings #204

wants to merge 2 commits into from

Conversation

mthahzan
Copy link

As shown on #202 markdown-it v10.x.x includes certain vulnerabilities which were fixed on subsequent versions. This updates the dependency to fix these vulnerabilities.

@mthahzan
deps: Update markdown-it to fix vulnerability warnings
c2990c0 
As shown on iamacup#202 `markdown-it` v10.x.x includes certain vulnerabilities which were fixed on subsequent versions. This updates the dependency to fix these vulnerabilities
@sainjay
Copy link

sainjay commented Mar 26, 2024

@iamacup @miallo @RonRadtke kindly merge so that the Synk Vulnerability can be resolved:
https://security.snyk.io/vuln/SNYK-JS-MARKDOWNIT-6483324?_gl=1%2a1l4vawo%2a_ga%2aMTkzNjU3NTQyNC4xNjg3MzYxMzIx%2a_ga_X9SH3KP7B4%2aMTcxMTQ3MTc1OS42Ni4xLjE3MTE0NzE3NzUuMC4wLjA.

@lernerb
Copy link

lernerb commented Apr 5, 2024

@iamacup Can we please fix this security vulmn for the community?

@david-gettins
Copy link

david-gettins commented Apr 17, 2024
edited
Loading

@mthahzan there is an update to the @types/markdown-it also. Currently it is at 14.0.1 which you haven't included in this PR.

@david-gettins david-gettins mentioned this pull request Apr 17, 2024
Open
@mthahzan
[deps] Updated types
94e27b0 
Updated `@types/markdown-it` to new version
@mthahzan
Copy link
Author

@david-gettins thanks! PR Updated.

Also, I noticed latest version of markdown-it is 14.1.0 now. Didn't have the time to test it out to see if works or not. If someone can verify, I can bump the version of that as well.

@NoahPeeters NoahPeeters mentioned this pull request Apr 18, 2024
Open
@lautenschlager-dev
Copy link

Any plans when this will be merged?

@sainjay
Copy link

sainjay commented Apr 26, 2024

This vulnerability is still there. Kindly this merged other we'll have to migrate to a different library.

image

@david-gettins
Copy link

If like myself you would like a temporary workaround for the audit issues you can use force-resolutions to force the fixed version of markdown-it. Just beware there may be compatibility issues, but I haven't come across any yet.

Of course, you can always look for an alternative library. If you find one, please let us all know. I would prefer not to use the forced resolution.

@sobrinho
Copy link

@iamacup ping

@javigutierrezfer
Copy link

Is there any update on this?? @iamacup

@sainjay
Copy link

sainjay commented Aug 6, 2024

@javigutierrezfer i use bun and fixed it by setting the patch version in overrides

"overrides": {
"markdown-it": "14.0.0",
}

Didn't notice any issues.

@sergioisidoro
Copy link

sergioisidoro commented Aug 20, 2024
edited
Loading

I'm also getting this some upstream issues with markdown-it. Updating this dep might be helpful
markdown-it/markdown-it#958 (See linked issue inside, refering to the release of entities and update of that dependency)

@AlimovSV
Copy link

AlimovSV commented Oct 9, 2024

@iamacup ping

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@mthahzan @sainjay @lernerb @david-gettins @lautenschlager-dev @sobrinho @javigutierrezfer @sergioisidoro @AlimovSV