From 6159ed1383b82639c184e722138f236d4d1609cb Mon Sep 17 00:00:00 2001 From: Jeroen Akkerman Date: Fri, 14 Jan 2022 23:23:54 +0100 Subject: [PATCH] Update marked to resolve security vulnerability --- CHANGELOG.md | 1 + package-lock.json | 30 +++++++++++++++--------------- package.json | 4 ++-- src/js/easymde.js | 4 ++-- types/easymde.d.ts | 5 +++-- 5 files changed, 23 insertions(+), 21 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c2929f0..907ae9a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] ### Fixed - Incorrect initial line and column count in status bar. +- Security issue in `marked` dependency. ## [2.16.0] - 2022-01-11 ### Added diff --git a/package-lock.json b/package-lock.json index d407c13..b26624d 100644 --- a/package-lock.json +++ b/package-lock.json @@ -10,10 +10,10 @@ "license": "MIT", "dependencies": { "@types/codemirror": "^5.60.4", - "@types/marked": "^3.0.1", + "@types/marked": "^4.0.1", "codemirror": "^5.63.1", "codemirror-spell-checker": "1.1.2", - "marked": "^3.0.4" + "marked": "^4.0.10" }, "devDependencies": { "browserify": "^17.0.0", @@ -192,9 +192,9 @@ "integrity": "sha512-C6N5s2ZFtuZRj54k2/zyRhNDjJwwcViAM3Nbm8zjBpbqAdZ00mr0CFxvSKeO8Y/e03WVFLpQMdHYVfUd6SB+Hw==" }, "node_modules/@types/marked": { - "version": "3.0.3", - "resolved": "https://registry.npmjs.org/@types/marked/-/marked-3.0.3.tgz", - "integrity": "sha512-ZgAr847Wl68W+B0sWH7F4fDPxTzerLnRuUXjUpp1n4NjGSs8hgPAjAp7NQIXblG34MXTrf5wWkAK8PVJ2LIlVg==" + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/@types/marked/-/marked-4.0.1.tgz", + "integrity": "sha512-ZigEmCWdNUU7IjZEuQ/iaimYdDHWHfTe3kg8ORfKjyGYd9RWumPoOJRQXB0bO+XLkNwzCthW3wUIQtANaEZ1ag==" }, "node_modules/@types/node": { "version": "14.18.5", @@ -5328,11 +5328,11 @@ } }, "node_modules/marked": { - "version": "3.0.8", - "resolved": "https://registry.npmjs.org/marked/-/marked-3.0.8.tgz", - "integrity": "sha512-0gVrAjo5m0VZSJb4rpL59K1unJAMb/hm8HRXqasD8VeC8m91ytDPMritgFSlKonfdt+rRYYpP/JfLxgIX8yoSw==", + "version": "4.0.10", + "resolved": "https://registry.npmjs.org/marked/-/marked-4.0.10.tgz", + "integrity": "sha512-+QvuFj0nGgO970fySghXGmuw+Fd0gD2x3+MqCWLIPf5oxdv1Ka6b2q+z9RP01P/IaKPMEramy+7cNy/Lw8c3hw==", "bin": { - "marked": "bin/marked" + "marked": "bin/marked.js" }, "engines": { "node": ">= 12" @@ -9060,9 +9060,9 @@ "integrity": "sha512-C6N5s2ZFtuZRj54k2/zyRhNDjJwwcViAM3Nbm8zjBpbqAdZ00mr0CFxvSKeO8Y/e03WVFLpQMdHYVfUd6SB+Hw==" }, "@types/marked": { - "version": "3.0.3", - "resolved": "https://registry.npmjs.org/@types/marked/-/marked-3.0.3.tgz", - "integrity": "sha512-ZgAr847Wl68W+B0sWH7F4fDPxTzerLnRuUXjUpp1n4NjGSs8hgPAjAp7NQIXblG34MXTrf5wWkAK8PVJ2LIlVg==" + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/@types/marked/-/marked-4.0.1.tgz", + "integrity": "sha512-ZigEmCWdNUU7IjZEuQ/iaimYdDHWHfTe3kg8ORfKjyGYd9RWumPoOJRQXB0bO+XLkNwzCthW3wUIQtANaEZ1ag==" }, "@types/node": { "version": "14.18.5", @@ -13192,9 +13192,9 @@ } }, "marked": { - "version": "3.0.8", - "resolved": "https://registry.npmjs.org/marked/-/marked-3.0.8.tgz", - "integrity": "sha512-0gVrAjo5m0VZSJb4rpL59K1unJAMb/hm8HRXqasD8VeC8m91ytDPMritgFSlKonfdt+rRYYpP/JfLxgIX8yoSw==" + "version": "4.0.10", + "resolved": "https://registry.npmjs.org/marked/-/marked-4.0.10.tgz", + "integrity": "sha512-+QvuFj0nGgO970fySghXGmuw+Fd0gD2x3+MqCWLIPf5oxdv1Ka6b2q+z9RP01P/IaKPMEramy+7cNy/Lw8c3hw==" }, "matchdep": { "version": "2.0.0", diff --git a/package.json b/package.json index d64bc47..50c8249 100644 --- a/package.json +++ b/package.json @@ -20,10 +20,10 @@ "author": "Jeroen Akkerman", "dependencies": { "@types/codemirror": "^5.60.4", - "@types/marked": "^3.0.1", + "@types/marked": "^4.0.1", "codemirror": "^5.63.1", "codemirror-spell-checker": "1.1.2", - "marked": "^3.0.4" + "marked": "^4.0.10" }, "devDependencies": { "browserify": "^17.0.0", diff --git a/src/js/easymde.js b/src/js/easymde.js index ea4a839..cece3b0 100644 --- a/src/js/easymde.js +++ b/src/js/easymde.js @@ -12,7 +12,7 @@ require('codemirror/addon/search/searchcursor.js'); require('codemirror/mode/gfm/gfm.js'); require('codemirror/mode/xml/xml.js'); var CodeMirrorSpellChecker = require('codemirror-spell-checker'); -var marked = require('marked/lib/marked'); +var marked = require('marked').marked; // Some variables @@ -1986,7 +1986,7 @@ EasyMDE.prototype.markdown = function (text) { marked.setOptions(markedOptions); // Convert the markdown to HTML - var htmlText = marked(text); + var htmlText = marked.parse(text); // Sanitize HTML if (this.options.renderingConfig && typeof this.options.renderingConfig.sanitizerFunction === 'function') { diff --git a/types/easymde.d.ts b/types/easymde.d.ts index e08a9ab..2aa161b 100644 --- a/types/easymde.d.ts +++ b/types/easymde.d.ts @@ -20,7 +20,8 @@ // SOFTWARE. /// -/// + +import { marked } from 'marked'; interface ArrayOneOrMore extends Array { 0: T; @@ -178,7 +179,7 @@ declare namespace EasyMDE { autoDownloadFontAwesome?: boolean; autofocus?: boolean; autosave?: AutoSaveOptions; - autoRefresh?: boolean | { delay: number }; + autoRefresh?: boolean | { delay: number; }; blockStyles?: BlockStyleOptions; element?: HTMLElement; forceSync?: boolean;