Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency containing moderate security flaw #126

Merged
merged 1 commit into from
Oct 4, 2019
Merged

Update dependency containing moderate security flaw #126

merged 1 commit into from
Oct 4, 2019

Conversation

dialex
Copy link
Contributor

@dialex dialex commented Sep 19, 2019

@dialex dialex mentioned this pull request Sep 19, 2019
Open
@robatwilliams
Copy link
Collaborator

Follows discussion started on this issue starting at #122 (comment)

@robatwilliams robatwilliams changed the title fix moderate security flaw Update dependency containing moderate security flaw Sep 19, 2019
@dialex

This comment has been minimized.

Sign in to view
@robatwilliams
Copy link
Collaborator

Continuing from the discussion on the unrelated issue...

Sorry 🤦‍♂ ... I didn't remember that the caret works differently below version 1.

I'll try and get round to checking this against some real content and doing a release.

@robatwilliams
Copy link
Collaborator

Works fine on our content. AppVeyor problem is something with latest Node 12; ignoring.

@robatwilliams robatwilliams merged commit e4d588d into lukeapage:master Oct 4, 2019
@robatwilliams
Copy link
Collaborator

Wait until markedjs/marked#1456 fix is released (it was merged yesterday) before doing a release.

There have been many breaking changes (although they are fixes) to marked since the 0.3.5 version that was originally installed in this project. They look safe enough, but it's over 4 years' worth of changes, and I don't have time to deal with any issues they may cause for consumers of this library. I would rather keep the latest version stable, so I'm not doing a release.

Anyone who uses this library to process content that's outside their own control and is concerned about the vulnerability, should be able to use npm audit fix as described here to force-upgrade the transitive dependency (ignore the likely semver warning).

@dialex
Copy link
Contributor Author

dialex commented Apr 25, 2020

@robatwilliams I see this has been merged to master, yet no release was made in the last 6 months. The latest release (1.3.1) on NPM has 2 years!

Can you please push the latest master to npm, so we can update our packages and solve the vulnerability once and for all?

@robatwilliams
Copy link
Collaborator

I'm afraid I don't use this anymore. See my previous comment regarding 4 years' worth of marked changes.

@dialex
Copy link
Contributor Author

dialex commented Apr 25, 2020
edited
Loading

I see. Did the tests fail for this branch? If not, there's not much risk releasing. Still, you could simply release a major version 2.0.0, and highlight it as version with breaking changes:

  • Whoever wants to stay behind, fine, they can use 1.3.1.
  • Whoever needs to fix security vulnerabilities, we'll take the risk and use 2.0.0.

At least that way we have a choice. What do you think?

@robatwilliams
Copy link
Collaborator

I can publish 2.0.0-beta.0 if @lukeapage can give me publishing rights please.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dialex @robatwilliams