From e70d7b42c9801da922e668bbd011a21ae1e52096 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" Date: Wed, 14 Nov 2018 14:44:13 -0500 Subject: [PATCH] [Security] Bump marked from 0.3.6 to 0.3.19 (#140) Bumps [marked](https://github.com/markedjs/marked) from 0.3.6 to 0.3.19. **This update includes security fixes.**
Vulnerabilities fixed *Sourced from [The Sonatype OSS Index](https://ossindex.sonatype.org/vuln/9ad1891d-443b-4ea0-b2f4-8fea2745533c).* > **[CVE-2017-1000427] marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI...** > marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser. > > Affected versions: <=0.3.6 *Sourced from [The Sonatype OSS Index](https://ossindex.sonatype.org/vuln/934cfc24-3eba-4ebb-8bac-b53b7ed08c59).* > **CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')** > The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. > > Affected versions: <=0.3.6 *Sourced from The GitHub Security Advisory Database.* > **High severity vulnerability that affects marked** > The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds. > > Affected versions: <0.3.9 *Sourced from The GitHub Security Advisory Database.* > **Moderate severity vulnerability that affects marked** > A Regular expression Denial of Service (ReDoS) vulnerability in the file marked.js of the marked npm package (tested on version 0.3.7) allows a remote attacker to overload and crash a server by passing a maliciously crafted string. > > Affected versions: < 0.3.9
Release notes *Sourced from [marked's releases](https://github.com/markedjs/marked/releases).* > ## 0.3.18 minified required new release > 0.3.18 did not have changes to min. > > ## Minor fixes and updated docs > - Supported Markdown flavors: CommonMark 0.28 and GitHub Flavored Markdown 0.28 > - Updates to our CI pipeline; we're all green! [#1098](https://github-redirect.dependabot.com/markedjs/marked/issues/1098) with the caveat that there is a test that needs to get sorted (help us out [#1092](https://github-redirect.dependabot.com/markedjs/marked/issues/1092)) > - Start ordered lists using the initial numbers from markdown lists ([#1144](https://github-redirect.dependabot.com/markedjs/marked/issues/1144)) > - Added GitHub Pages site for documentation https://marked.js.org/ ([#1138](https://github-redirect.dependabot.com/markedjs/marked/issues/1138)) > > ## Processes and tools > - The elephant in the room: A security vulnerability was discovered and fixed. Please note, if something breaks due to these changes, it was not our intent, and please let us know by submitting a PR or issue to course correct (the nature of the zero-major release and having security as a number one priority) [#1083](https://github-redirect.dependabot.com/markedjs/marked/issues/1083) > - The other elephant in the room: We missed publishing a 0.3.16 release to GitHub; so, trying to make up for that a bit. > - Updates to the project documentation and operations, you should check it out, just start with the README and you should be good. > - New release PR template available [#1076](https://github-redirect.dependabot.com/markedjs/marked/issues/1076) > - Updates to default PR and Issue templates [#1076](https://github-redirect.dependabot.com/markedjs/marked/issues/1076) > - Lint checks + tests + continuous integration using Travis [#1020](https://github-redirect.dependabot.com/markedjs/marked/issues/1020) > - Updated testing output [#1085](https://github-redirect.dependabot.com/markedjs/marked/issues/1085) & [#1087](https://github-redirect.dependabot.com/markedjs/marked/issues/1087) > > ## Fix capturing parens > Fixes unintended breaking change from v0.3.14 > > ## New year, new home > - Marked has a new home under the MarkedJS org! Other advances soon to come. > - Updated minifier. > - Various parser fixes > > ## New Year, new Marked! > - Addresses issue where some users might not have been able to update due to missing `use strict` [#991](https://github-redirect.dependabot.com/markedjs/marked/issues/991) > - Parser fix [#977](https://github-redirect.dependabot.com/markedjs/marked/issues/977) > - New way to perform tests with options and running individual tests [#1002](https://github-redirect.dependabot.com/markedjs/marked/issues/1002) > - Improved test cases > - Improved links > > ## Merry XSSmas > We think with this version we have addressed most, if not all, known security vulnerabilities. If you find more, please let us know. > > ## XSS > Should fix XSS issue discovered.
Commits - [`5d1baa4`](https://github.com/markedjs/marked/commit/5d1baa4d7ca55b27cb08029ac785e98b6378fcf0) Merge pull request [#1157](https://github-redirect.dependabot.com/markedjs/marked/issues/1157) from markedjs/release-0.3.19 - [`a089991`](https://github.com/markedjs/marked/commit/a089991fe35e250e5bc3fbbb99fb4ccd515b61dd) Merge pull request [#64](https://github-redirect.dependabot.com/markedjs/marked/issues/64) from fidian/master - [`ad6c7f9`](https://github.com/markedjs/marked/commit/ad6c7f91254c3d8ceb3354fcd7a18294e1cb2e4b) Merge pull request [#1156](https://github-redirect.dependabot.com/markedjs/marked/issues/1156) from UziTech/docs-navigation - [`03e015c`](https://github.com/markedjs/marked/commit/03e015ca912ae4039862c73bd3cee8e04b589085) 0.3.19 - [`cf2def0`](https://github.com/markedjs/marked/commit/cf2def076f9b8c0ff9c09ae5be816f0605a976ef) minify - [`29f4190`](https://github.com/markedjs/marked/commit/29f4190117eb59ff9f644bc17046d141343647cf) Ignore DS_Store on macos - [`f29bceb`](https://github.com/markedjs/marked/commit/f29bceb025a31d95a6205d2fcfd6b2385905d8b9) Update publishing template ([#1154](https://github-redirect.dependabot.com/markedjs/marked/issues/1154)) - [`210eed7`](https://github.com/markedjs/marked/commit/210eed715b5c26f4db2b982236638ddde50159c7) Update badge template ([#1155](https://github-redirect.dependabot.com/markedjs/marked/issues/1155)) - [`9c01b83`](https://github.com/markedjs/marked/commit/9c01b83370792d9b0e6c2cb1903ca67191a76269) link to README.md - [`fd9f444`](https://github.com/markedjs/marked/commit/fd9f44413301b5ba186f61db06b8ddfa1336a983) add github ribbon - Additional commits viewable in [compare view](https://github.com/markedjs/marked/compare/v0.3.6...v0.3.19)

[![Dependabot compatibility score](https://api.dependabot.com/badges/compatibility_score?dependency-name=marked&package-manager=npm_and_yarn&previous-version=0.3.6&new-version=0.3.19)](https://dependabot.com/compatibility-score.html?dependency-name=marked&package-manager=npm_and_yarn&previous-version=0.3.6&new-version=0.3.19) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.
--- package-lock.json | 5 ----- yarn.lock | 4 ++-- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/package-lock.json b/package-lock.json index 21f0a40..5f993e9 100644 --- a/package-lock.json +++ b/package-lock.json @@ -10935,11 +10935,6 @@ "integrity": "sha512-NcWuJFHDA8V3wkDgR/j4+gZx+YQwstPgfQDV8ndUeWWzta3dnDTBxpVzqS9lkmJAuV5YX35lmyojl6HO5JXAgw==", "dev": true }, - "marked": { - "version": "0.3.12", - "resolved": "https://registry.npmjs.org/marked/-/marked-0.3.12.tgz", - "integrity": "sha512-k4NaW+vS7ytQn6MgJn3fYpQt20/mOgYM5Ft9BYMfQJDz2QT6yEeS9XJ8k2Nw8JTeWK/znPPW2n3UJGzyYEiMoA==" - }, "masonry-layout": { "version": "4.2.1", "resolved": "https://registry.npmjs.org/masonry-layout/-/masonry-layout-4.2.1.tgz", diff --git a/yarn.lock b/yarn.lock index ac0c206..edeedbf 100644 --- a/yarn.lock +++ b/yarn.lock @@ -5923,8 +5923,8 @@ markdown-table@^1.1.0: resolved "https://registry.yarnpkg.com/markdown-table/-/markdown-table-1.1.1.tgz#4b3dd3a133d1518b8ef0dbc709bf2a1b4824bc8c" marked@^0.3.6: - version "0.3.6" - resolved "https://registry.yarnpkg.com/marked/-/marked-0.3.6.tgz#b2c6c618fccece4ef86c4fc6cb8a7cbf5aeda8d7" + version "0.3.19" + resolved "https://registry.yarnpkg.com/marked/-/marked-0.3.19.tgz#5d47f709c4c9fc3c216b6d46127280f40b39d790" masonry-layout@^4.1.0: version "4.2.0"