Skip to content

chore(deps): update dependency marked to 4.0.10 [security] - abandoned #60

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): update dependency marked to 4.0.10 [security] - abandoned #60

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link

@renovate renovate bot commented Feb 9, 2022
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change
marked 2.0.1 -> 4.0.10

GitHub Vulnerability Alerts

CVE-2022-21680

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.

import * as marked from "marked";

marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

CVE-2022-21681

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.

import * as marked from 'marked';

console.log(marked.parse(`[x]: x

\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot requested a review from michaelhettmer February 9, 2022 08:46
@codecov
Copy link

codecov bot commented Feb 9, 2022
edited
Loading

Codecov Report

Merging #60 (d9dcd98) into master (532b30f) will not change coverage.
The diff coverage is n/a.

@@            Coverage Diff            @@
##            master       #60   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            1         1           
  Lines           25        25           
  Branches         5         5           
=========================================
  Hits            25        25

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 532b30f...d9dcd98. Read the comment docs.

@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch from b10a7cf to c012bc1 Compare February 10, 2022 22:27
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 5 times, most recently from 3c1d200 to a075df6 Compare February 24, 2022 22:39
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 3 times, most recently from 81d8132 to d48550d Compare March 3, 2022 22:26
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 4 times, most recently from 871694a to b45dcb1 Compare March 13, 2022 19:59
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 2 times, most recently from 5ba3a40 to 80d3659 Compare March 22, 2022 02:55
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch from 80d3659 to a978f93 Compare March 29, 2022 17:50
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch from a978f93 to d9dcd98 Compare March 31, 2022 22:56
@renovate
Copy link
Author

renovate bot commented Mar 31, 2022

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json
npm notice 
npm notice New minor version of npm available! 8.5.0 -> 8.6.0
npm notice Changelog: <https://github.com/npm/cli/releases/tag/v8.6.0>
npm notice Run `npm install -g npm@8.6.0` to update!
npm notice 
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: react-hooks-use-previous@1.1.1
npm WARN Found: semantic-release@17.4.7
npm WARN node_modules/semantic-release
npm WARN   dev semantic-release@"19.0.0" from the root project
npm WARN   6 more (@semantic-release/changelog, ...)
npm WARN 
npm WARN Could not resolve dependency:
npm WARN peer semantic-release@">=15.8.0 <18.0.0" from @semantic-release/changelog@5.0.1
npm WARN node_modules/@semantic-release/changelog
npm WARN   dev @semantic-release/changelog@"5.0.1" from the root project
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: react-hooks-use-previous@1.1.1
npm WARN Found: semantic-release@17.4.7
npm WARN node_modules/semantic-release
npm WARN   dev semantic-release@"19.0.0" from the root project
npm WARN   6 more (@semantic-release/changelog, ...)
npm WARN 
npm WARN Could not resolve dependency:
npm WARN peer semantic-release@">=16.0.0 <18.0.0" from @semantic-release/git@9.0.1
npm WARN node_modules/@semantic-release/git
npm WARN   dev @semantic-release/git@"9.0.1" from the root project
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: commitlint-circle@1.0.0
npm ERR! Found: @commitlint/cli@11.0.0
npm ERR! node_modules/@commitlint/cli
npm ERR!   dev @commitlint/cli@"11.0.0" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer @commitlint/cli@"^7.0.0" from commitlint-circle@1.0.0
npm ERR! node_modules/commitlint-circle
npm ERR!   dev commitlint-circle@"1.0.0" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: @commitlint/cli@7.6.1
npm ERR! node_modules/@commitlint/cli
npm ERR!   peer @commitlint/cli@"^7.0.0" from commitlint-circle@1.0.0
npm ERR!   node_modules/commitlint-circle
npm ERR!     dev commitlint-circle@"1.0.0" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /tmp/renovate-cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /tmp/renovate-cache/others/npm/_logs/2022-03-31T22_55_54_235Z-debug-0.log

@renovate renovate bot changed the title chore(deps): update dependency marked to 4.0.10 [security] chore(deps): update dependency marked to 4.0.10 [security] - abandoned Mar 24, 2023
@renovate
Copy link
Author

renovate bot commented Mar 24, 2023

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaelhettmer michaelhettmer Awaiting requested review from michaelhettmer

Assignees

@michaelhettmer michaelhettmer

Labels

vulnerability

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@michaelhettmer @renovate-bot