Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dep: update markdown-it dependency #10634

Merged
merged 1 commit into from
Jan 18, 2022
Merged

dep: update markdown-it dependency #10634

merged 1 commit into from
Jan 18, 2022

Conversation

vince-fugnitto
Copy link
Member

What it does

The pull-request addresses a security vulnerability (Uncontrolled Resource Consumption in markdown-it ) with markdown-it. The change also makes markdown-it a shared dependency (exported by @theia/core) since it is used by many packages, and they no longer need to reference it themselves at different versions.

How to test

  1. confirm that yarn audit --level=moderate does not produce any output for markdown-it.
  2. confirm that markdown rendering works for the preferences-ui, vsx-registry extensions tooltip, etc.

Review checklist

Reminder for reviewers

Signed-off-by: vince-fugnitto [email protected]

@vince-fugnitto
dep: update markdown-it dependency
acc9fe3 
The commit updates the `markdown-it` dependency in order to resolve a
moderate security vulnerability.

The change also makes `markdown-it` a shared dependency, and updates all
usages to use the shared dep instead of redefining a version in
individual `package.json`.

Signed-off-by: vince-fugnitto <[email protected]>
@vince-fugnitto vince-fugnitto added security issues related to security dependencies pull requests that update a dependency file labels Jan 13, 2022
@vince-fugnitto vince-fugnitto self-assigned this Jan 13, 2022
msujew
msujew approved these changes Jan 17, 2022
View reviewed changes
Copy link
Member

@msujew msujew left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes look good. I can confirm that the rendered markdown content works as before and that the security issue has been resolved.

@vince-fugnitto vince-fugnitto merged commit 8b34669 into master Jan 18, 2022
@vince-fugnitto vince-fugnitto deleted the vf/markdown-it branch January 18, 2022 02:44
@github-actions github-actions bot added this to the 1.22.0 milestone Jan 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@msujew msujew msujew approved these changes

@paul-marechal paul-marechal Awaiting requested review from paul-marechal

Assignees

@vince-fugnitto vince-fugnitto

Labels
dependencies pull requests that update a dependency file security issues related to security
Projects
None yet
Milestone
1.22.0
Development

Successfully merging this pull request may close these issues.
2 participants
@vince-fugnitto @msujew