From 086c2859adb498918fcb1d33775e1f3c12093289 Mon Sep 17 00:00:00 2001 From: Snyk bot Date: Fri, 14 Aug 2020 02:53:23 +0300 Subject: [PATCH] [Snyk] Security upgrade marked from 0.7.0 to 1.1.1 (#1313) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix: package.json & package-lock.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-MARKED-584281 * fix: fix CompileError * fix: embed files error Co-authored-by: Koy <369491420@qq.com> Co-authored-by: 沈唁 <52o@qq52o.cn> --- build/build.js | 9 ++++++--- docs/embed-files.md | 4 ++-- package-lock.json | 6 +++--- package.json | 2 +- src/core/render/embed.js | 2 +- 5 files changed, 13 insertions(+), 10 deletions(-) diff --git a/build/build.js b/build/build.js index 563861373..0de786828 100644 --- a/build/build.js +++ b/build/build.js @@ -22,7 +22,10 @@ async function build(opts) { .rollup({ input: opts.input, plugins: (opts.plugins || []).concat([ - buble(), + buble({ + transforms: { + dangerousForOf: true + }}), commonjs(), nodeResolve(), replace({ @@ -33,8 +36,8 @@ async function build(opts) { onwarn: function (message) { if (message.code === 'UNRESOLVED_IMPORT') { throw new Error( - `Could not resolve module ` + - message.source + + `Could not resolve module ` + + message.source + `. Try running 'npm install' or using rollup's 'external' option if this is an external dependency. ` + `Module ${message.source} is imported in ${message.importer}` ) diff --git a/docs/embed-files.md b/docs/embed-files.md index d1a447338..26a0072ea 100644 --- a/docs/embed-files.md +++ b/docs/embed-files.md @@ -62,7 +62,7 @@ Sometimes you don't want to embed a whole file. Maybe because you need just a fe [filename](_media/example.js ':include :type=code :fragment=demo') ``` -In your code file you need to surround the fragment between `/// [demo]` lines (before and after the fragment). +In your code file you need to surround the fragment between `/// [demo]` lines (before and after the fragment). Alternatively you can use `### [demo]`. Example: @@ -153,7 +153,7 @@ The `LABEL` can be any text you want. It acts as a _fallback_ message if the lin ### Render a codeblock from a gist The format is the same as the previous section, but with `:type=code` added to the alt text. As with the [Embedded file type](#embedded-file-type) section, the syntax highlighting will be **inferred** from the extension (e.g. `.js` or `.py`), so you can leave the `type` set as `code`. - + Here is the format: ```markdown diff --git a/package-lock.json b/package-lock.json index 9e1ecadf6..6579ebfe8 100644 --- a/package-lock.json +++ b/package-lock.json @@ -9599,9 +9599,9 @@ } }, "marked": { - "version": "0.7.0", - "resolved": "https://registry.npmjs.org/marked/-/marked-0.7.0.tgz", - "integrity": "sha512-c+yYdCZJQrsRjTPhUx7VKkApw9bwDkNbHUKo1ovgcfDjb2kc8rLuRbIFyXL5WOEUwzSSKo3IXpph2K6DqB/KZg==" + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/marked/-/marked-1.1.1.tgz", + "integrity": "sha512-mJzT8D2yPxoPh7h0UXkB+dBj4FykPJ2OIfxAWeIHrvoHDkFxukV/29QxoFQoPM6RLEwhIFdJpmKBlqVM3s2ZIw==" }, "mdn-data": { "version": "2.0.4", diff --git a/package.json b/package.json index 699b6d37e..da912ff53 100644 --- a/package.json +++ b/package.json @@ -58,7 +58,7 @@ }, "dependencies": { "dompurify": "^2.0.8", - "marked": "^0.7.0", + "marked": "^1.1.1", "medium-zoom": "^1.0.5", "opencollective-postinstall": "^2.0.2", "prismjs": "^1.19.0", diff --git a/src/core/render/embed.js b/src/core/render/embed.js index d31cd2b02..63db66972 100644 --- a/src/core/render/embed.js +++ b/src/core/render/embed.js @@ -101,7 +101,7 @@ export function prerenderEmbed({ compiler, raw = '', fetch }, done) { const compile = compiler._marked; let tokens = compile.lexer(raw); const embedTokens = []; - const linkRE = compile.InlineLexer.rules.link; + const linkRE = compile.Lexer.rules.inline.link; const links = tokens.links; tokens.forEach((token, index) => {