Conversation
## [1.0.15](v1.0.14...v1.0.15) (2026-04-07) ### Bug Fixes * allow marked v18 ([#532](#532)) ([38cfd91](38cfd91))
|
🎉 This PR is included in version 1.0.15 🎉 The release is available on: Your semantic-release bot 📦🚀 |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the marked dependency to version 18 and expands the peerDependencies range. Feedback identifies a critical security concern regarding potentially tampered lodash entries in the lockfile that refer to a non-existent version. Additionally, the reviewer noted that the PR includes many unrelated transitive dependency updates that should be isolated and recommended implementing a test matrix to ensure compatibility across the entire supported range of marked versions.
| "version": "4.17.23", | ||
| "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz", | ||
| "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==", | ||
| "version": "4.18.1", |
There was a problem hiding this comment.
The lodash and lodash-es packages have been updated to version 4.18.1, which is not a recognized release on the public npm registry (the current stable version is 4.17.21). Furthermore, the integrity hashes provided for these entries match those of version 4.17.21. This discrepancy suggests a corrupted or tampered package-lock.json file, which could pose a security risk. Please verify your dependencies and regenerate the lockfile using a clean npm install.
| "version": "11.8.0", | ||
| "resolved": "https://registry.npmjs.org/npm/-/npm-11.8.0.tgz", | ||
| "integrity": "sha512-n19sJeW+RGKdkHo8SCc5xhSwkKhQUFfZaFzSc+EsYXLjSqIV0tl72aDYQVuzVvfrbysGwdaQsNLNy58J10EBSQ==", | ||
| "version": "11.12.1", |
There was a problem hiding this comment.
This pull request includes a significant amount of unrelated changes to package-lock.json, such as updating the npm devDependency and its entire transitive tree, as well as removing the bundled flag from many internal dependencies. These changes are orthogonal to the goal of allowing marked v18 and should ideally be handled in a separate PR to keep this one focused and easier to review.
| "globals": "^17.4.0", | ||
| "jest-cli": "^30.3.0", | ||
| "marked": "^17.0.6", | ||
| "marked": "^18.0.0", |
There was a problem hiding this comment.
Bumping devDependencies.marked to ^18.0.0 while maintaining a peerDependencies range of >=4 <19 means the project will primarily be tested against the latest version in development and CI. This creates a risk of regressions for users on older supported versions (v4-v17). Consider using a test matrix to ensure continued compatibility across the entire supported range.
1 participant
No description provided.