Update marked to resolve security vulnerability

2 years ago · 6159ed1383
parent a56badd0dc
commit 6159ed1383
5 changed files with 23 additions and 21 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 ### Fixed
 - Incorrect initial line and column count in status bar.
+- Security issue in `marked` dependency.

 ## [2.16.0] - 2022-01-11
 ### Added
--- a/package-lock.json
+++ b/package-lock.json
@ -10,10 +10,10 @@
            "license": "MIT",
            "dependencies": {
                "@types/codemirror": "^5.60.4",
-                "@types/marked": "^3.0.1",
+                "@types/marked": "^4.0.1",
                "codemirror": "^5.63.1",
                "codemirror-spell-checker": "1.1.2",
-                "marked": "^3.0.4"
+                "marked": "^4.0.10"
            },
            "devDependencies": {
                "browserify": "^17.0.0",
@ -192,9 +192,9 @@
            "integrity": "sha512-C6N5s2ZFtuZRj54k2/zyRhNDjJwwcViAM3Nbm8zjBpbqAdZ00mr0CFxvSKeO8Y/e03WVFLpQMdHYVfUd6SB+Hw=="
        },
        "node_modules/@types/marked": {
-            "version": "3.0.3",
-            "resolved": "https://registry.npmjs.org/@types/marked/-/marked-3.0.3.tgz",
-            "integrity": "sha512-ZgAr847Wl68W+B0sWH7F4fDPxTzerLnRuUXjUpp1n4NjGSs8hgPAjAp7NQIXblG34MXTrf5wWkAK8PVJ2LIlVg=="
+            "version": "4.0.1",
+            "resolved": "https://registry.npmjs.org/@types/marked/-/marked-4.0.1.tgz",
+            "integrity": "sha512-ZigEmCWdNUU7IjZEuQ/iaimYdDHWHfTe3kg8ORfKjyGYd9RWumPoOJRQXB0bO+XLkNwzCthW3wUIQtANaEZ1ag=="
        },
        "node_modules/@types/node": {
            "version": "14.18.5",
@ -5328,11 +5328,11 @@
            }
        },
        "node_modules/marked": {
-            "version": "3.0.8",
-            "resolved": "https://registry.npmjs.org/marked/-/marked-3.0.8.tgz",
-            "integrity": "sha512-0gVrAjo5m0VZSJb4rpL59K1unJAMb/hm8HRXqasD8VeC8m91ytDPMritgFSlKonfdt+rRYYpP/JfLxgIX8yoSw==",
+            "version": "4.0.10",
+            "resolved": "https://registry.npmjs.org/marked/-/marked-4.0.10.tgz",
+            "integrity": "sha512-+QvuFj0nGgO970fySghXGmuw+Fd0gD2x3+MqCWLIPf5oxdv1Ka6b2q+z9RP01P/IaKPMEramy+7cNy/Lw8c3hw==",
            "bin": {
-                "marked": "bin/marked"
+                "marked": "bin/marked.js"
            },
            "engines": {
                "node": ">= 12"
@ -9060,9 +9060,9 @@
            "integrity": "sha512-C6N5s2ZFtuZRj54k2/zyRhNDjJwwcViAM3Nbm8zjBpbqAdZ00mr0CFxvSKeO8Y/e03WVFLpQMdHYVfUd6SB+Hw=="
        },
        "@types/marked": {
-            "version": "3.0.3",
-            "resolved": "https://registry.npmjs.org/@types/marked/-/marked-3.0.3.tgz",
-            "integrity": "sha512-ZgAr847Wl68W+B0sWH7F4fDPxTzerLnRuUXjUpp1n4NjGSs8hgPAjAp7NQIXblG34MXTrf5wWkAK8PVJ2LIlVg=="
+            "version": "4.0.1",
+            "resolved": "https://registry.npmjs.org/@types/marked/-/marked-4.0.1.tgz",
+            "integrity": "sha512-ZigEmCWdNUU7IjZEuQ/iaimYdDHWHfTe3kg8ORfKjyGYd9RWumPoOJRQXB0bO+XLkNwzCthW3wUIQtANaEZ1ag=="
        },
        "@types/node": {
            "version": "14.18.5",
@ -13192,9 +13192,9 @@
            }
        },
        "marked": {
-            "version": "3.0.8",
-            "resolved": "https://registry.npmjs.org/marked/-/marked-3.0.8.tgz",
-            "integrity": "sha512-0gVrAjo5m0VZSJb4rpL59K1unJAMb/hm8HRXqasD8VeC8m91ytDPMritgFSlKonfdt+rRYYpP/JfLxgIX8yoSw=="
+            "version": "4.0.10",
+            "resolved": "https://registry.npmjs.org/marked/-/marked-4.0.10.tgz",
+            "integrity": "sha512-+QvuFj0nGgO970fySghXGmuw+Fd0gD2x3+MqCWLIPf5oxdv1Ka6b2q+z9RP01P/IaKPMEramy+7cNy/Lw8c3hw=="
        },
        "matchdep": {
            "version": "2.0.0",
--- a/package.json
+++ b/package.json
@ -20,10 +20,10 @@
    "author": "Jeroen Akkerman",
    "dependencies": {
        "@types/codemirror": "^5.60.4",
-        "@types/marked": "^3.0.1",
+        "@types/marked": "^4.0.1",
        "codemirror": "^5.63.1",
        "codemirror-spell-checker": "1.1.2",
-        "marked": "^3.0.4"
+        "marked": "^4.0.10"
    },
    "devDependencies": {
        "browserify": "^17.0.0",
--- a/src/js/easymde.js
+++ b/src/js/easymde.js
@ -12,7 +12,7 @@ require('codemirror/addon/search/searchcursor.js');
 require('codemirror/mode/gfm/gfm.js');
 require('codemirror/mode/xml/xml.js');
 var CodeMirrorSpellChecker = require('codemirror-spell-checker');
-var marked = require('marked/lib/marked');
+var marked = require('marked').marked;


 // Some variables
@ -1986,7 +1986,7 @@ EasyMDE.prototype.markdown = function (text) {
        marked.setOptions(markedOptions);

        // Convert the markdown to HTML
-        var htmlText = marked(text);
+        var htmlText = marked.parse(text);

        // Sanitize HTML
        if (this.options.renderingConfig && typeof this.options.renderingConfig.sanitizerFunction === 'function') {
--- a/types/easymde.d.ts
+++ b/types/easymde.d.ts
@ -20,7 +20,8 @@
 // SOFTWARE.

 /// <reference types="codemirror"/>
-/// <reference types="marked"/>
+
+import { marked } from 'marked';

 interface ArrayOneOrMore<T> extends Array<T> {
    0: T;
@ -178,7 +179,7 @@ declare namespace EasyMDE {
        autoDownloadFontAwesome?: boolean;
        autofocus?: boolean;
        autosave?: AutoSaveOptions;
-        autoRefresh?: boolean | { delay: number };
+        autoRefresh?: boolean | { delay: number; };
        blockStyles?: BlockStyleOptions;
        element?: HTMLElement;
        forceSync?: boolean;