New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Npm security vulnerability in @jupyterlab/rendermime dependency #6479
Comments
FYI, we've updated master to 0.6.2. |
I'll also note that:
|
Closed in 1.0.0? |
Hey @jasongrout, this is an issue again as of @jupyterlab/rendermime v1.0.1 https://www.npmjs.com/advisories/1076. The patch is now available in >=0.7.0 of marked. Is there any chance master can be updated to 0.7.0? |
I looked at marked 0.7.0, and it looks like their breaking changes either will not affect us (i.e., they are options we don't use), or fix obvious parsing issues. I think I would be okay with marked 0.7.0 going into jlab 1.1, i.e., I don't think it will break things that should work. |
FWIW, I dug into these some when reporting markedjs/marked#1425. Based on that I would be surprised if regexp backtracking issues did not continue to be an issue for marked.js- the way the parser leverages regular expressions is quite complex. |
Thanks for digging into this. Do you have a suggestion for a better markdown parser? We considered at one point switching, but ultimately decided on staying with marked for compatibility with the notebook (since it is what the notebook uses). However, as marked is marching inexorably towards commonmark, it may be that we should just switch directly to commonmark and be done. |
I have not looked at commonmark much but my impression is that the parser is better structured to avoid these issues. At a glance a switch to commonmark seems daunting, but that may just be from the series of changes from marked.js that we've been slowly absorbing. I don't have a strong recommendation. |
Sorry, when I said switch to commonmark, I meant commonmark the standard, not the reference commonmark parser. The parser we discussed switching to on #272 is markdown-it: https://github.com/markdown-it/markdown-it |
Any update on this? We need this for https://github.com/microsoft/vscode-python/issues/6867 in the Python extension. |
Based on the analysis in #6479 (comment), I think it's okay to upgrade in 1.2, which we are evaluating releasing next week. Do you want to put in a PR? |
If you are having issues with installation or configuration, we encourage you to post in the Jupyter Discourse forum or file an issue here.
I'm going through the jupyterlab extension tutorial at https://jupyterlab.readthedocs.io/en/stable/developer/xkcd_extension_tutorial.html except i'm using npm instead of jlpm. There is a vulnerability in the package
marked
that is consumed by@jupyterlab/rendermime
The text was updated successfully, but these errors were encountered: