Skip to content
This repository has been archived by the owner on Jan 31, 2023. It is now read-only.

chore(deps): update dependency marked to version 4.0.10 🌟 #100

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): update dependency marked to version 4.0.10 🌟 #100

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 7, 2022
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change
marked 2.1.3 -> 4.0.10

GitHub Vulnerability Alerts

CVE-2022-21681

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.

import * as marked from 'marked';

console.log(marked.parse(`[x]: x

\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

CVE-2022-21680

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.

import * as marked from "marked";

marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 4 times, most recently from 674d069 to 94c4644 Compare March 13, 2022 18:57
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch from 94c4644 to 741f7fc Compare March 17, 2022 20:34
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 2 times, most recently from a9bec67 to a7bb9f9 Compare March 31, 2022 23:49
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 6 times, most recently from 6316fea to 74461bd Compare April 11, 2022 01:54
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch from 74461bd to a066457 Compare April 25, 2022 00:15
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch from a066457 to 20e827d Compare May 15, 2022 20:23
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 6 times, most recently from 3ccbfc5 to 99f9db2 Compare June 25, 2022 16:26
@renovate renovate bot changed the title chore(deps): update dependency marked to version 4.0.10 🌟 chore(deps): Update dependency marked to version 4.0.10 🌟 Jun 27, 2022
@renovate renovate bot changed the title chore(deps): Update dependency marked to version 4.0.10 🌟 chore(deps): update dependency marked to version 4.0.10 🌟 Jun 28, 2022
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 5 times, most recently from 97e5013 to 32d3dd5 Compare July 1, 2022 11:58
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 7 times, most recently from beab80f to 674e435 Compare July 8, 2022 20:49
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch 4 times, most recently from dc720a9 to 6d870c3 Compare July 13, 2022 23:47
@renovate renovate bot force-pushed the renovate/npm-marked-vulnerability branch from 6d870c3 to dc836a4 Compare July 14, 2022 11:11
@renovate
Copy link
Contributor Author

renovate bot commented Jul 14, 2022

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json
write /var/lib/docker/tmp/GetImageBlob520929771: no space left on device

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
renovate type: dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants