High Severity Security Vulnerability: markdown-to-jsx

[evadecker]

There is currently a high severity security vulnerability in the markdown-to-jsx package used by Styleguidist.

https://npmjs.com/advisories/1219

All versions of simple-markdown are vulnerable to Cross-Site Scripting. Due to insufficient input sanitization the package may render output containing malicious JavaScript. This vulnerability can be exploited through input of links containing data or VBScript URIs and a base64-encoded payload.

This vulnerability is now preventing our company from using Styleguidist to document components, as we run npm audit to ensure that our codebase is secure.

[gbhasha]

Yes. We do have same problem and vulnerable packages are not allowed as per company policy.

[gbhasha]

Snyk Report : https://snyk.io/test/npm/react-styleguidist@11.0.6

[sapegin]

Feel free to send a pull request with a fix.

[evadecker]

It appears that this has been resolved: quantizor/markdown-to-jsx#306 (comment) and the package maintainers are just waiting on npm to approve that the vulnerability has been patched.

I've opened a PR to update the markdown-to-jsx version here: #1599