Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upcoming release plan for v4.0.0/3.6.7? Security vulnerabilities exist in the current v3.6.6 through marked and underscore #1908

Closed
seintun opened this issue Apr 23, 2021 · 1 comment
Closed

Upcoming release plan for v4.0.0/3.6.7? Security vulnerabilities exist in the current v3.6.6 through marked and underscore #1908

seintun opened this issue Apr 23, 2021 · 1 comment

Comments

@seintun
Copy link

seintun commented Apr 23, 2021
edited
Loading

Hello jsdoc maintainers/community!

Is there any upcoming planned release for v4.0.0? I saw a couple efforts and activities for v4.0.0 dev.

Raising the security vulnerability concerns for the community in the latest published v3.6.6 with underscore@1.10.2 and marked@0.8.2.

I noticed these libraries were removed in the master branch already, but not yet available in published form.

  1. Arbitrary Code Injection introduced through: jsdoc@3.6.6 › underscore@1.10.2
  2. Regular Expression Denial of Service (ReDoS) introduced through: jsdoc@3.6.6 › marked@0.8.2

Just noticed this helpful PR after posting: #1906

Thank you in advance!

References:
https://snyk.io/test/npm/jsdoc/3.6.6
https://snyk.io/vuln/SNYK-JS-MARKED-584281
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-23358
@seintun seintun changed the title Upcoming release plan for v4.0.0? Security vulnerabilities exist in the current v3.6.6 through marked and underscore Upcoming release plan for v4.0.0/3.6.7? Security vulnerabilities exist in the current v3.6.6 through marked and underscore Apr 23, 2021
dae added a commit to ankitects/anki that referenced this issue May 7, 2021
@dae
update JS deps
397e226 
Unfortunately we're still stuck with a security alert about underscore,
because the latest jsdoc uses an old underscore, and protobufjs depends
on it.

jsdoc/jsdoc#1908
@brettimus brettimus mentioned this issue May 7, 2021
Closed
@seintun
Copy link
Author

seintun commented May 17, 2021

Vulnerabilities are remediated in #1906
Closing this ticket as jsdoc@3.6.7 is published

JSDoc v3.6.7 is now available with updated dependencies.

@seintun seintun closed this as completed May 17, 2021
dae added a commit to ankitects/anki that referenced this issue May 17, 2021
@dae
update jsdoc
ec4ed98 
jsdoc/jsdoc#1908
@thinkingserious thinkingserious mentioned this issue May 18, 2021
Merged
1 task
@syonfox syonfox mentioned this issue Jun 1, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@seintun