You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I noticed that a vulnerability is introduced in markdown-loader@6.0.0:
Vulnerability SNYK-JS-MARKED-584281 affects package marked (versions:<1.1.1): https://snyk.io/vuln/SNYK-JS-MARKED-584281
The above vulnerable package is referenced by markdown-loader@6.0.0 via: markdown-loader@6.0.0 ➔ marked@0.7.0
I've updated marked to 4.0.12. But I made this as a major version bump since switching major versions of marked is also a breaking change for us.
Sorry for this, but I think this is a dilemma: do I fix the security issue and break some builds or do I stick to semver which results in some people still having the security issue. With npm v8 overrides you should be able to enforce a specific markdown-loader version.
Hi, @meaku @jhnns,
Issue Description
I noticed that a vulnerability is introduced in markdown-loader@6.0.0:
Vulnerability SNYK-JS-MARKED-584281 affects package marked (versions:<1.1.1): https://snyk.io/vuln/SNYK-JS-MARKED-584281
The above vulnerable package is referenced by markdown-loader@6.0.0 via:
markdown-loader@6.0.0 ➔ marked@0.7.0
Since markdown-loader@6.0.0 (14,926 downloads per week) is referenced by 26 downstream projects (e.g., @anansi/webpack-config 8.0.3 (latest version), @vtex/gatsby-theme-store 0.373.5 (latest version), yakuza0 2.19.5 (latest version), @next-core/dev-dependencies 1.10.9 (latest version), webpack-config-jaid 15.0.0 (latest version)), the vulnerability SNYK-JS-MARKED-584281 can be propagated into these downstream projects and expose security threats to them via the following package dependency paths:
(1)
@anansi/webpack-config@8.0.2 ➔ markdown-loader@6.0.0 ➔ marked@0.7.0
(2)
@cutting/devtools@4.28.0 ➔ markdown-loader@6.0.0 ➔ marked@0.7.0
......
If markdown-loader@6.0.* removes the vulnerable package from the above version, then its fixed version can help downstream users decrease their pain.
Given the large number of downstream users, could you help update your package to remove the vulnerability from markdown-loader@6.0.0 ?
Fixing suggestions
In markdown-loader@6.0.1, maybe you can kindly try to perform the following upgrade :
marked ^0.7.0 ➔ ^1.1.1
;Note:
marked@1.1.1(>=1.1.1) has fixed the vulnerability SNYK-JS-MARKED-584281.
Of course, you are welcome to share other ways to resolve the issue.^_^
The text was updated successfully, but these errors were encountered: