refactor: Bump marked from 17.0.3 to 17.0.5

[mtrezza]

Bump marked from 17.0.3 to 17.0.5 (patch).

Changes (bug fixes only):

• v17.0.4: Fix ReDoS in inline link regex title group
• v17.0.5: Fix catastrophic backtracking (ReDoS) in link/reflink label regex, prevent quadratic complexity in emStrongLDelim regex, prevent single-tilde strikethrough false positives, re-assign tokenizer.lexer and renderer.parser at start of each parse call, trim trailing whitespace from lheading text

Closes #3300

Summary by CodeRabbit

• Chores
  • Updated the marked package to v17.0.5 to pick up minor fixes and improvements.
  • This is a low-risk dev dependency update with no changes to public APIs or app behavior.
  • No other dependencies or configuration were modified.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5775e376-4e7f-4760-877e-1220ab32bd2b

📥 Commits

Reviewing files that changed from the base of the PR and between e521928 and efbf566.

📒 Files selected for processing (2)

• package-lock.json
• package.json

✅ Files skipped from review due to trivial changes (2)

• package-lock.json
• package.json

---

📝 Walkthrough

Walkthrough

Bumped the marked devDependency from 17.0.3 to 17.0.5 in package.json and updated the corresponding marked entry (version, resolved URL, integrity) in package-lock.json. No other dependency-tree changes are present in the diff.

Changes

Cohort / File(s)	Summary
Dev dependency package.json	Updated devDependencies.marked from 17.0.3 to 17.0.5.
Lockfile package-lock.json	Updated node_modules/marked metadata: version, resolved tarball URL, and integrity hash to v17.0.5. No other changes to the dependency tree shown.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• refactor: Bump marked from 15.0.12 to 17.0.3 #3282 — Previously updated the same marked devDependency (related version bump and lockfile update).

🚥 Pre-merge checks | ✅ 5 | ❌ 2

❌ Failed checks (2 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description provides version details and lists specific bug fixes from upstream releases, but lacks required template sections like Issue, Approach, and Tasks.	Add missing template sections: explicitly link issue #3300 under 'Issue', detail the approach under 'Approach', and address checkbox tasks for tests and documentation.
Engage In Review Feedback	❓ Inconclusive	GitHub PR review comments and discussions are not accessible through git repository alone; cannot verify user engagement with review feedback.	Access GitHub PR #3306 directly to review comments in Conversation or Files Changed sections and verify user engagement with any feedback provided by reviewers.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title begins with 'refactor:' prefix and clearly describes the main change (bumping marked dependency from 17.0.3 to 17.0.5).
Linked Issues check	✅ Passed	The PR successfully updates the marked dependency from 17.0.3 to 17.0.5, incorporating all specified upstream bug fixes including ReDoS mitigations, regex complexity improvements, and parser reassignment.
Out of Scope Changes check	✅ Passed	All changes are limited to package.json and package-lock.json for the marked dependency update; no unrelated modifications are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Security Check	✅ Passed	marked dependency updated from 17.0.3 to 17.0.5 with security fixes for ReDoS vulnerabilities and state management improvements.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 Checkov (3.2.510)

package.json

2026-04-01 15:24:46,576 [MainThread ] [ERROR] Template file not found: package.json
2026-04-01 15:24:46,578 [MainThread ] [ERROR] Template file not found: package.json
2026-04-01 15:24:46,588 [MainThread ] [ERROR] Template file not found: package.json
2026-04-01 15:24:46,673 [MainThread ] [ERROR] Failed to invoke function /usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner. with package.json
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 88, in func_wrapper
result = original_func(item)
^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner.py", line 74, in
results = parallel_runner.run_function(lambda f: (f, self._parse_file(f)), files_to_load)
^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/ope

... [truncated 2547 characters] ...

[MainThread ] [WARNI] Secret scanning: could not process file package.json
2026-04-01 15:24:46,782 [MainThread ] [ERROR] Exception traceback:
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/main.py", line 647, in run
self.scan_reports = runner_registry.run(
^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/runner_registry.py", line 177, in run
for result in parallel_runner_results:
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 118, in _run_function_multiprocess_fork
raise v.internal_exception.with_traceback(v.internal_exception.traceback)
FileNotFoundError: [Errno 2] No such file or directory: 'package.json'

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package-lock.json`:
- Line 90: The lockfile was corrupted during the marked bump (entry "marked":
"17.0.5") and is missing required packages like `@codemirror/`*, `@lezer/`*,
pg-query-stream, pg-cursor, style-mod, and w3c-keyname; regenerate a clean
lockfile by deleting package-lock.json and node_modules and running a fresh
install (e.g., rm -rf node_modules package-lock.json && npm install) so the
package-lock reflects all transitive deps including the marked update.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a93c57bf-7272-4e39-b425-74eba411946d

📥 Commits

Reviewing files that changed from the base of the PR and between 841fedb and e521928.

📒 Files selected for processing (2)

• package-lock.json
• package.json

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Pipeline failure indicates corrupted lockfile.

While the marked version update to 17.0.5 is correct and addresses the security objectives, the pipeline is failing because this lockfile is missing required packages:

• @codemirror/* packages (language, state, view)
• @lezer/* packages (common, highlight, lr)
• PostgreSQL packages (pg-query-stream, pg-cursor)
• style-mod, w3c-keyname

These unrelated packages should not have been removed during a marked version bump. The lockfile needs to be regenerated properly.

🔧 Fix the lockfile

To fix this issue, regenerate the lockfile cleanly:

# Remove existing lockfile and node_modules
rm -rf node_modules package-lock.json

# Reinstall to generate a clean lockfile
npm install

This will ensure all required dependencies (including the marked update) are properly reflected in the lockfile.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package-lock.json` at line 90, The lockfile was corrupted during the marked
bump (entry "marked": "17.0.5") and is missing required packages like
`@codemirror/`*, `@lezer/`*, pg-query-stream, pg-cursor, style-mod, and w3c-keyname;
regenerate a clean lockfile by deleting package-lock.json and node_modules and
running a fresh install (e.g., rm -rf node_modules package-lock.json && npm
install) so the package-lock reflects all transitive deps including the marked
update.

[mtrezza]

The lock file was regenerated from a clean baseline. All CI checks including NPM Lock File Version are now passing, confirming the lock file is correct.

[coderabbitai]

@mtrezza, thanks for confirming! Glad to hear the lockfile was regenerated cleanly and all CI checks — including the NPM Lock File Version check — are now passing. The concern is resolved. ✅

🐇 🎉

---

🧠 Learnings used

Learnt from: mtrezza
Repo: parse-community/parse-dashboard PR: 3252
File: changelogs/CHANGELOG_alpha.md:0-0
Timestamp: 2026-03-06T18:23:39.621Z
Learning: In the parse-community/parse-dashboard repository, changelog entries (e.g. changes to `changelogs/CHANGELOG_alpha.md` or `CHANGELOG.md`) are NOT allowed in pull requests. Changelogs are managed automatically by semantic-release. Any PR that includes manual changelog modifications must be rejected and the contributor must be asked to remove the changelog changes.

---

If you found this review helpful, would you consider giving us a shout-out on X?

Thank you for using CodeRabbit!

Lock file was regenerated from clean baseline. All CI checks pass.

[mtrezza]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.