Skip to content

chore(deps): update dependency marked to 4.0.10 [security] - autoclosed #901

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
renovate wants to merge 1 commit into from
Closed

chore(deps): update dependency marked to 4.0.10 [security] - autoclosed #901

renovate wants to merge 1 commit into from
+1,428 −2,122

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Feb 9, 2022
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change
marked 2.1.3 -> 4.0.10

GitHub Vulnerability Alerts

CVE-2022-21681

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.

import * as marked from 'marked';

console.log(marked.parse(`[x]: x

\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

CVE-2022-21680

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.

import * as marked from "marked";

marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added the security label Feb 9, 2022
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 2 times, most recently from 190debf to 3899198 Compare February 11, 2022 16:26
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 3 times, most recently from 4ffba89 to ef3e3bf Compare February 24, 2022 21:37
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 6 times, most recently from 489ea72 to 3b4e0c5 Compare March 3, 2022 22:03
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 3 times, most recently from d4dc258 to c7bc730 Compare March 14, 2022 17:02
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 3 times, most recently from 6d7229f to 0175aa2 Compare March 21, 2022 21:54
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 2 times, most recently from 1578e63 to fcc5504 Compare April 1, 2022 00:18
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 5 times, most recently from fc87bd4 to 3a8c1da Compare April 14, 2022 18:55
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 2 times, most recently from 26e188a to 7e57bca Compare April 16, 2022 18:53
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 3 times, most recently from b9b4e2f to 2bc1e0f Compare May 2, 2022 12:12
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 3 times, most recently from e2e72d7 to 15cf7d8 Compare June 7, 2022 06:27
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 2 times, most recently from bbf446e to b775ad6 Compare June 15, 2022 21:46
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 2 times, most recently from a581df9 to 2788be6 Compare June 24, 2022 02:20
@renovate renovate bot changed the title chore(deps): update dependency marked to 4.0.10 [security] chore(deps): update dependency marked to 4.0.10 [SECURITY] Jun 27, 2022
@renovate renovate bot changed the title chore(deps): update dependency marked to 4.0.10 [SECURITY] chore(deps): update dependency marked to 4.0.10 [security] Jun 28, 2022
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch from 2788be6 to 2074960 Compare June 30, 2022 00:07
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 3 times, most recently from 46f67f9 to 0af0c6c Compare July 17, 2022 14:12
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch from 0af0c6c to 5399e59 Compare July 20, 2022 22:37
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 2 times, most recently from d5e288f to f6c03d0 Compare August 3, 2022 18:51
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch from f6c03d0 to ec76b81 Compare August 10, 2022 20:28
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 2 times, most recently from 2f6576e to 35a3371 Compare August 21, 2022 17:19
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 4 times, most recently from aeed283 to 0b334ed Compare September 6, 2022 07:00
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 2 times, most recently from 2c79247 to 472fd04 Compare September 15, 2022 20:46
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch from 472fd04 to a626712 Compare November 20, 2022 13:58
@renovate renovate bot changed the title chore(deps): update dependency marked to 4.0.10 [security] chore(deps): update dependency marked to 4.0.10 [security] - autoclosed Dec 6, 2022
@renovate renovate bot closed this Dec 6, 2022
@renovate renovate bot deleted the renovate/npm-marked-vulnerability branch December 6, 2022 11:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant