Skip to content
This repository has been archived by the owner on Feb 28, 2023. It is now read-only.

chore(deps): update dependency marked to 4.0.10 [security] #237

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): update dependency marked to 4.0.10 [security] #237

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jun 27, 2022
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change
marked 2.1.3 -> 4.0.10

GitHub Vulnerability Alerts

CVE-2022-21680

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.

import * as marked from "marked";

marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

CVE-2022-21681

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.

import * as marked from 'marked';

console.log(marked.parse(`[x]: x

\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot changed the title chore(deps): update dependency marked to 4.0.10 [SECURITY] chore(deps): update dependency marked to 4.0.10 [security] Jun 28, 2022
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 8 times, most recently from 1bc8058 to 9e59b76 Compare July 4, 2022 21:41
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 5 times, most recently from 22aa824 to 8585754 Compare July 11, 2022 15:46
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 9 times, most recently from c5010f9 to 3d1ecd1 Compare July 19, 2022 13:10
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 3 times, most recently from d0411f5 to 4d81436 Compare July 24, 2022 23:05
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 2 times, most recently from c919aee to 1208673 Compare July 27, 2022 23:13
@renovate renovate bot deleted the renovate/npm-marked-vulnerability branch December 9, 2022 16:38
@renovate renovate bot changed the title chore(deps): update dependency marked to 4.0.10 [security] - autoclosed chore(deps): update dependency marked to 4.0.10 [security] Dec 13, 2022
@renovate renovate bot reopened this Dec 13, 2022
@renovate renovate bot restored the renovate/npm-marked-vulnerability branch December 13, 2022 16:25
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch from 990c6c1 to 5b06664 Compare December 13, 2022 16:36
@renovate renovate bot changed the title chore(deps): update dependency marked to 4.0.10 [security] Update dependency marked to 4.0.10 [SECURITY] Dec 17, 2022
@renovate renovate bot changed the title Update dependency marked to 4.0.10 [SECURITY] chore(deps): update dependency marked to 4.0.10 [security] Dec 17, 2022
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 4 times, most recently from 40495ba to 9188e78 Compare December 28, 2022 20:18
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 5 times, most recently from 8f45113 to 754de90 Compare January 4, 2023 16:21
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 2 times, most recently from 371b11d to f914643 Compare January 21, 2023 06:01
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 2 times, most recently from 909de5e to 2d7f1eb Compare February 2, 2023 17:30
@renovate renovate bot changed the title chore(deps): update dependency marked to 4.0.10 [security] chore(deps): update dependency marked to 4.0.10 [security] - autoclosed Feb 8, 2023
@renovate renovate bot closed this Feb 8, 2023
@renovate renovate bot deleted the renovate/npm-marked-vulnerability branch February 8, 2023 02:14
@renovate renovate bot changed the title chore(deps): update dependency marked to 4.0.10 [security] - autoclosed chore(deps): update dependency marked to 4.0.10 [security] Feb 8, 2023
@renovate renovate bot reopened this Feb 8, 2023
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 2 times, most recently from 6db5f15 to e2cc29f Compare February 17, 2023 17:29
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch from e2cc29f to 5b504ed Compare February 24, 2023 12:28
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch from 5b504ed to 3454a32 Compare February 25, 2023 03:11
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
renovate type: dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants