Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency marked to version 4.0.10 🌟 - autoclosed #141

Closed
wants to merge 1 commit into from
Closed

chore(deps): update dependency marked to version 4.0.10 🌟 - autoclosed #141

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 24, 2023

Mend Renovate

This PR contains the following updates:

Package Change
marked 1.2.5 -> 4.0.10

GitHub Vulnerability Alerts

CVE-2021-21306

Impact

What kind of vulnerability is it? Who is impacted?

Regular expression Denial of Service

A Denial of Service attack can affect anyone who runs user generated code through marked.

Patches

Has the problem been patched? What versions should users upgrade to?

patched in v2.0.0

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

None.

References

Are there any links users can visit to find out more?

https://github.com/markedjs/marked/issues/1927
https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

For more information

If you have any questions or comments about this advisory:

CVE-2022-21680

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.

import * as marked from "marked";

marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

CVE-2022-21681

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.

import * as marked from 'marked';

console.log(marked.parse(`[x]: x

\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Configuration

πŸ“… Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

β™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

πŸ”• Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 2 times, most recently from b0c8804 to 4400664 Compare March 24, 2023 22:04
@renovate renovate bot changed the title chore(deps): update dependency marked to version 4.0.10 🌟 chore(deps): update dependency marked to version 4.0.10 🌟 - autoclosed Mar 25, 2023
@renovate renovate bot closed this Mar 25, 2023
@renovate renovate bot deleted the renovate/npm-marked-vulnerability branch March 25, 2023 01:30
@renovate renovate bot changed the title chore(deps): update dependency marked to version 4.0.10 🌟 - autoclosed chore(deps): update dependency marked to version 4.0.10 🌟 Mar 25, 2023
@renovate renovate bot reopened this Mar 25, 2023
@renovate renovate bot restored the renovate/npm-marked-vulnerability branch March 25, 2023 03:26
@renovate renovate bot changed the title chore(deps): update dependency marked to version 4.0.10 🌟 chore(deps): update dependency marked to version 4.0.10 🌟 - autoclosed Mar 25, 2023
@renovate renovate bot closed this Mar 25, 2023
@renovate renovate bot deleted the renovate/npm-marked-vulnerability branch March 25, 2023 03:46
@renovate renovate bot changed the title chore(deps): update dependency marked to version 4.0.10 🌟 - autoclosed chore(deps): update dependency marked to version 4.0.10 🌟 Mar 25, 2023
@renovate renovate bot reopened this Mar 25, 2023
@renovate renovate bot restored the renovate/npm-marked-vulnerability branch March 25, 2023 07:57
@renovate renovate bot changed the title chore(deps): update dependency marked to version 4.0.10 🌟 chore(deps): update dependency marked to version 4.0.10 🌟 - autoclosed Mar 26, 2023
@renovate renovate bot closed this Mar 26, 2023
@renovate renovate bot deleted the renovate/npm-marked-vulnerability branch March 26, 2023 17:20
@renovate renovate bot changed the title chore(deps): update dependency marked to version 4.0.10 🌟 - autoclosed chore(deps): update dependency marked to version 4.0.10 🌟 Mar 26, 2023
@renovate renovate bot reopened this Mar 26, 2023
@renovate renovate bot restored the renovate/npm-marked-vulnerability branch March 26, 2023 20:16
@renovate renovate bot changed the title chore(deps): update dependency marked to version 4.0.10 🌟 chore(deps): update dependency marked to version 4.0.10 🌟 - autoclosed Mar 26, 2023
@renovate renovate bot closed this Mar 26, 2023
@renovate renovate bot deleted the renovate/npm-marked-vulnerability branch March 26, 2023 20:58
@renovate renovate bot changed the title chore(deps): update dependency marked to version 4.0.10 🌟 - autoclosed chore(deps): update dependency marked to version 4.0.10 🌟 Mar 27, 2023
@renovate renovate bot reopened this Mar 27, 2023
@renovate renovate bot restored the renovate/npm-marked-vulnerability branch March 27, 2023 00:44
@renovate renovate bot changed the title chore(deps): update dependency marked to version 4.0.10 🌟 chore(deps): update dependency marked to version 4.0.10 🌟 - autoclosed Mar 27, 2023
@renovate renovate bot closed this Mar 27, 2023
@renovate renovate bot deleted the renovate/npm-marked-vulnerability branch March 31, 2023 14:47
@renovate renovate bot changed the title chore(deps): update dependency marked to version 4.0.10 🌟 - autoclosed chore(deps): update dependency marked to version 4.0.10 🌟 Mar 31, 2023
@renovate renovate bot restored the renovate/npm-marked-vulnerability branch March 31, 2023 22:08
@renovate renovate bot reopened this Mar 31, 2023
@renovate renovate bot changed the title chore(deps): update dependency marked to version 4.0.10 🌟 chore(deps): update dependency marked to version 4.0.10 🌟 - autoclosed Apr 3, 2023
@renovate renovate bot closed this Apr 3, 2023
@renovate renovate bot deleted the renovate/npm-marked-vulnerability branch April 3, 2023 09:32
@renovate renovate bot changed the title chore(deps): update dependency marked to version 4.0.10 🌟 - autoclosed chore(deps): update dependency marked to version 4.0.10 🌟 Apr 3, 2023
@renovate renovate bot reopened this Apr 3, 2023
@renovate renovate bot restored the renovate/npm-marked-vulnerability branch April 3, 2023 18:21
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 2 times, most recently from 82bbd36 to b74d89f Compare April 4, 2023 19:47
@renovate renovate bot changed the title chore(deps): update dependency marked to version 4.0.10 🌟 chore(deps): update dependency marked to version 4.0.10 🌟 - autoclosed Apr 17, 2023
@renovate renovate bot closed this Apr 17, 2023
@renovate renovate bot deleted the renovate/npm-marked-vulnerability branch April 17, 2023 13:24
@renovate renovate bot changed the title chore(deps): update dependency marked to version 4.0.10 🌟 - autoclosed chore(deps): update dependency marked to version 4.0.10 🌟 Apr 18, 2023
@renovate renovate bot reopened this Apr 18, 2023
@renovate renovate bot restored the renovate/npm-marked-vulnerability branch April 18, 2023 11:27
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch from b74d89f to 5e51246 Compare April 18, 2023 16:54
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 3 times, most recently from af3d500 to 1461501 Compare May 3, 2023 10:48
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch from 1461501 to 4576fe4 Compare May 8, 2023 13:07
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 2 times, most recently from 1244612 to d6b4e77 Compare May 20, 2023 06:00
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch from d6b4e77 to 7cf6aef Compare May 21, 2023 04:40
@renovate renovate bot changed the title chore(deps): update dependency marked to version 4.0.10 🌟 chore(deps): update dependency marked to version 4.0.10 🌟 - autoclosed May 28, 2023
@renovate renovate bot closed this May 28, 2023
@renovate renovate bot deleted the renovate/npm-marked-vulnerability branch May 28, 2023 12:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
renovate type: dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants