Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

npm audit : "Moderate: Regular Expression Denial of Service" #95

Closed
sanori opened this issue Apr 22, 2019 · 6 comments
Closed

npm audit : "Moderate: Regular Expression Denial of Service" #95

sanori opened this issue Apr 22, 2019 · 6 comments

Comments

@sanori
Copy link

sanori commented Apr 22, 2019

due to the dependency of marked 0.6.1.
@sanori sanori changed the title npm audit : "Regular Expression Denial of Service" npm audit : "Moderate: Regular Expression Denial of Service" Apr 22, 2019
@tomap
Copy link
Contributor

tomap commented Apr 23, 2019

Hi, we depend on Marked ^0.6.1 => automatically updated to ^0.6.2 https://david-dm.org/hexojs/hexo-renderer-marked
Where is the issue?

@sanori
Copy link
Author

sanori commented Apr 23, 2019
edited
Loading

When I run npm audit in my hexo directory, several security reports are provided.
One of the report is as follows:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ marked                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.6.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ hexo-renderer-marked                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ hexo-renderer-marked > marked                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/812                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

I agree with your assumption that npm may install updated version of marked which is fixed the problem. But, I got the above report from npm and I left this issue.

@yoshinorin
Copy link
Member

yoshinorin commented Apr 24, 2019
edited
Loading

@sanori
Thank you for your report :)
We already upgrade to marked 6.x at #87. And it's already merged into the current master branch.

But, not yet released a new version. Would you please wait a new release?
Thanks :)

@yoshinorin
Copy link
Member

@sanori
PS. Please execute below command if you want to use the current master branch

npm install https://github.com/hexojs/hexo-renderer-markdown-it#master

@JLHwung
Copy link
Contributor

JLHwung commented May 10, 2019

A update:

hexo-renderer-marked@1.0.0 is just published, install the latest version now

npm install hexo-renderer-marked

@JLHwung JLHwung closed this as completed May 10, 2019
@sanori
Copy link
Author

sanori commented May 11, 2019

I confirmed that npm install hexo-renderer-marked@1.0.0 resolved the vulnerability alert.
Thank you.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tomap @JLHwung @sanori @yoshinorin