Vulnerability in the package

[juanjoDiaz]

Reported by npm audit

│ Moderate │ Regular Expression Denial of Service │
│ Package │ underscore.string │
│ Patched in │ >=3.3.5 │
│ Dependency of │ markdown-magic [dev] │
│ Path │ markdown-magic > markdown-toc > remarkable > argparse > │
│ │ underscore.string │
│ More info │ https://npmjs.com/advisories/745 │

[tripflex]

I can confirm this as well, showing on mine that i'm using for generating awesome list https://github.com/tripflex/awesome-mongoose-os

[DavidWells]

Thanks for the report

Do you know if this is fixed upstream in these markdown-toc > remarkable > argparse?

[forresst]

Here is the current state:

argparse: no longer uses underscore since February 19, 2015 (version 1.0.0)

remarkable: a version change was made from 0.1.15 to 1.0.10 on July 21, 2019 but remarkable was not versioned (only the master contains the modification)

markdown-toc: uses remarkable (version 1.7.1) since version 1.0.0 of markdown-toc. Note: markdown-toc has an issue for this vulnerability

[DavidWells]

Thanks for the insight!

How can we fix this? (Hopefully without forking and maintaining all the upstream deps?)

Are folks using markdown-magic on a server where this ddos vulnerability would be an issue?

[DavidWells]

Fixed with markdown-magic@2.3.0