npm vulnerability reported

[mboughaba]

Dear,

The latest stable release and the new (beta?) release are both vulnerable.

> npm audit --registry https://registry.npmjs.org/


                       === npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  High            Cross-Site Scripting (XSS)

  Package         jquery

  Patched in      >=3.0.0

  Dependency of   typedoc [dev]

  Path            typedoc > typedoc-default-themes > jquery

  More info       https://npmjs.com/advisories/328

found 1 high severity vulnerability in 58619 scanned packages
  1 vulnerability requires manual review. See the full report for details.

> npm audit --registry https://registry.npmjs.org/                        
                                                                          
                                                                          
                       === npm audit security report ===                  
                                                                          
                                                                          
                                 Manual Review                            
             Some vulnerabilities require your attention to resolve       
                                                                          
          Visit https://go.npm.me/audit-guide for additional guidance     
                                                                          
                                                                          
  Moderate        Regular Expression Denial of Service                    
                                                                          
  Package         marked                                                  
                                                                          
  Patched in      >=0.6.2                                                 
                                                                          
  Dependency of   typedoc [dev]                                           
                                                                          
  Path            typedoc > marked                                        
                                                                          
  More info       https://npmjs.com/advisories/812                        
                                                                          
found 1 moderate severity vulnerability in 58625 scanned packages         
  1 vulnerability requires manual review. See the full report for details.

[aciccarello]

Thanks for the report. This has actually already been reported in #978 and #994 and a fix has already been made. Once the TypeDoc theme has been released these will all be fixed.

[jeremymeng]

@aciccarello marked vulnerability is new and the fix requires version 0.6.2 or later. It looks that the current master branch has 0.6.0. Unless the mentioned fix is in another branch I think another fix is needed.

[aciccarello]

Thanks for checking into this. TypeDoc should still pick up the latest patch so there shouldn't be an issue (GitHub doesn't report a vulnerability for marked on master) but we should update the package.json to ensure that a patched version is used.

[jeremymeng]

@aciccarello Is there any ETA for the marked vulnerability fix in a pre-release version? I might need to disable typedoc dependency temporarily in our project if a fix is too far in the future.

[Gerrit0]

Closing in favor of #994

[AndrewCraswell]

@Gerrit0 why was this closed in favor of #994? I don't see any mention of the marked vulnerability in that issue. It does seem there are multiple vulnerabilities being reported at the moment, but since all the issues related to marked have been closed, and #994 makes no explicit mention of marked, I'm afraid this work has been lost.

Unfortunately, I'm in the same predicament as @jeremymeng... our company has policies against using packages with vulnerabilities, and I need to go ahead and remove it from my repos :/

[Gerrit0]

Sorry about that, reopening. While the fix for marked is present in this repository, it hasn't been published yet. I'm unable to publish, and I know @aciccarello has been busy. He was working on a release last weekend but wasn't able to finish it in time.

To try to mitigate this issue at least partially I'm setting up a mirror package (@gerrit0/typedoc) which will have a new version published whenever new commits are merged into master here. I'd kind of like to do the same here, but that would require a major shift in how releases are done.

[danielnixon]

Using yarn and its selective dependency resolutions you can work around this by adding the following to your package.json:

  "resolutions": {
    "marked": "^0.6.2"
  },

[shihlinlu]

Any idea when the next release will be published? I just downloaded TypeDoc today and noticed the vulnerability. I don't think NPM supports "resolutions".

[AndrewCraswell]

Based on the latest release, I think this can be closed?

[Gerrit0]

Yep, this has been fixed with 0.15.0