update marked dependency
#675
Conversation
|
Thanks for the PR @craigmichaelmartin. The test files need to be updated from another change so that's why they showed up. I need to go through and update various other dependencies so I may do this change in a separate commit but I appreciate knowing that there are vulnerability warnings coming through. |
|
Please merge and release. Trying to remove as a security vulnerability from our project. Thanks! |
|
Is there something preventing this from being merged? Security issues are not a small thing. Please kindly merge this :) Thank you. |
|
Thanks for merging this. Please ship a release post-haste! |
|
@chriskrycho this should be included in the 0.10.0 release. Another release is needed to fix an issue with the exclude not exported flag |
|
Hmm. I just updated to 0.10.0, and that's when GitHub flagged up the issue. 🤔 |
|
Interesting. Looks like all versions of marked have a Regex DOS vulnerability. See markedjs/marked#1039 for more details. We can update when a fix is issued. For reference, marked should currently be at version |
Thanks for this great tool!
Purpose: This PR updates the
markeddependency by bumping its patch version.Background:
marked@0.3.6 has two security vulnerabilities (https://nvd.nist.gov/vuln/detail/CVE-2017-1000427, https://nvd.nist.gov/vuln/detail/CVE-2017-17461). While these are not exposed given how typedoc usesmarked- the vulnerability warning is passed through to all repos that depend ontypedoc. This creates a burden of keeping track of what vulnerabilities are actual - and desensitizes the github tool.It is unclear why files beyond
package.jsonchanged. I noticed the same changes simply by cloning the repo and installing - so they don't seem related to this PR. If you'd like me to remove them from this PR, I'd be happy. Just let me know!