New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: upgrade marked
to resolve ReDos vulnerability
#2330
Conversation
This addresses GHSA-rrrm-qjm4-v8hf. GHSA-rrrm-qjm4-v8hf Accommodate breaking change in index.js. (Use marked.parse() instead of marked().) Bumps [marked](https://github.com/markedjs/marked) from 2.0.1 to 4.0.10. - [Release notes](https://github.com/markedjs/marked/releases) - [Changelog](https://github.com/markedjs/marked/blob/master/.releaserc.json) - [Commits](markedjs/marked@v2.0.1...v4.0.10) --- updated-dependencies: - dependency-name: marked dependency-type: direct:production ...
This is the same as #2329 but with the needed changes to |
Thanks for the help with this. I think this will also require an update of |
I've pushed a second commit for that. It needed a more extensive reworking of the code because |
It was indeed a problem on my end. I think this is ready for code review. |
I added a commit to update the |
It would. It wouldn't be a bad thing for us to drop v15 support at this point, but it would be best if we didn't have to require our consumers to upgrade past a major just to get the vulnerability patched. Is there no combination of |
Observing as a consumer and thought I'd add a quick comment. Is anyone out there really building production systems with Node 15? Node 16 is the active LTS, and Node 17 the current non LTS. It's unlikely to impact many given 15 was never an lts, and isn't active. Feature parity with 15 is available in 16 iirc. |
Just for clarity, you mean "supported by semantic-release" and not "supported by Node.js", right? Because as far as Node.js is concerned, 15.x is no longer supported. (Or does the not-supported-by-Node.js change anything here?) Ref: https://github.com/nodejs/Release#release-schedule (TL;DR Only 12.x, 14.x, 16.x and 17.x are supported by Node.js right now. 15.x reached end-of-life in June 2021.) |
That's correct: There is no combination that will resolve the vulnerability and support Node.js 15.x. The last release of Dropping support for Node.js 15.x (or supporting Node.js 15.x use and not worrying about |
FWIW, I ran |
good clarification. yes, i mean currently defined as supported by semantic-release in
thank you for confirming. that's unfortunate, but not entirely surprising.
i appreciate the consideration of options. i have considered removing marked since compatibility between marked and marked-terminal has caused us trouble in the past. i would love it if there were an option to move in the direction of the suite of remark tools, but i haven't found a way to leverage them in the context of the terminal. i'd prefer to avoid taking on the effort of these options or the risk of more significant change to fix this vulnerability.
i agree that dropping v15 support is the best option. while v15 is EOL and impact would be low to treat supporting it less strictly, communicating impact of changes semantically is important to this project. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for digging into these details. this appears to be in good shape, but lets adjust the engines definition slightly as mentioned in the one comment i added
BREAKING CHANGE: Drop support for Node.js 15.x.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just one more matrix adjustment
thanks again for working through these details, @Trott. since this is a breaking change, i want to get another set of eyes on it before moving it forward and decide if any other pending changes need to be coordinated with it. i think this piece is ready to go and we'll work toward getting this finished up as soon as we can. |
I'm not very familiar with marked and its eco system. Can someone please explain the breaking change for semantic-release users? Is it only the drop of support for Node v15, or is there also an API behavior change related to the marked upgrade? |
There is no behavior change for the end user. The only user-visible issue is that a dependency ( |
marked
to resolve ReDos vulnerability
🎉 This PR is included in version 19.0.0-beta.1 🎉 The release is available on: Your semantic-release bot 📦🚀 |
🎉 This PR is included in version 19.0.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
…e#2330) BREAKING CHANGE: node v15 has been removed from our defined supported versions of node. this was done to upgrade to compatible versions of `marked` and `marked-terminal` that resolved the ReDoS vulnerability. removal of support of this node version should be low since it was not an LTS version and has been EOL for several months already.
…e#2330) BREAKING CHANGE: node v15 has been removed from our defined supported versions of node. this was done to upgrade to compatible versions of `marked` and `marked-terminal` that resolved the ReDoS vulnerability. removal of support of this node version should be low since it was not an LTS version and has been EOL for several months already.
This addresses GHSA-rrrm-qjm4-v8hf.
GHSA-rrrm-qjm4-v8hf
Accommodate breaking change in index.js. (Use marked.parse() instead of
marked().)
Bumps marked from 2.0.1 to 4.0.10.
updated-dependencies:
dependency-type: direct:production
...