Skip to content

Bump marked from 0.3.9 to 0.3.18#15

Closed
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/marked-0.3.18
Closed

Bump marked from 0.3.9 to 0.3.18#15
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/marked-0.3.18

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Nov 1, 2019
edited
Loading

Bumps marked from 0.3.9 to 0.3.18.

Release notes

Sourced from marked's releases.

Minor fixes and updated docs

  • Supported Markdown flavors: CommonMark 0.28 and GitHub Flavored Markdown 0.28
  • Updates to our CI pipeline; we're all green! #1098 with the caveat that there is a test that needs to get sorted (help us out #1092)
  • Start ordered lists using the initial numbers from markdown lists (#1144)
  • Added GitHub Pages site for documentation https://marked.js.org/ (#1138)

Processes and tools

  • The elephant in the room: A security vulnerability was discovered and fixed. Please note, if something breaks due to these changes, it was not our intent, and please let us know by submitting a PR or issue to course correct (the nature of the zero-major release and having security as a number one priority) #1083
  • The other elephant in the room: We missed publishing a 0.3.16 release to GitHub; so, trying to make up for that a bit.
  • Updates to the project documentation and operations, you should check it out, just start with the README and you should be good.
  • New release PR template available #1076
  • Updates to default PR and Issue templates #1076
  • Lint checks + tests + continuous integration using Travis #1020
  • Updated testing output #1085 & #1087

Fix capturing parens

Fixes unintended breaking change from v0.3.14

New year, new home

  • Marked has a new home under the MarkedJS org! Other advances soon to come.
  • Updated minifier.
  • Various parser fixes

New Year, new Marked!

  • Addresses issue where some users might not have been able to update due to missing use strict #991
  • Parser fix #977
  • New way to perform tests with options and running individual tests #1002
  • Improved test cases
  • Improved links
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Nov 1, 2019
@Simran-B
Copy link

Simran-B commented Feb 26, 2020

Please merge! It fixes an exploit.

WS-2019-0027 markedjs/marked@b15e42b
moderate severity

Vulnerable versions: < 0.3.18
Patched version: 0.3.18

Versions 0.3.17 and earlier of marked has Four regexes were vulnerable to catastrophic backtracking. This leaves markdown servers open to a potential REDOS attack.

@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/marked-0.3.18 branch from e7d1a86 to 7ab94da Compare March 7, 2020 16:45
@Simran-B
Copy link

Simran-B commented Mar 16, 2020

@grant-g @jenschlot Sorry to bother you, but the security alert is 9 months old and I cannot resolve this on my end because it is the dependency of a dependency.

@grant-g
Copy link
Member

grant-g commented Mar 16, 2020

@Simran-B The only reason I'm delaying on this is to compare a before-and-after runs on a set of docs to see the HTML generation changes this would bring with it. I will try to get to this soon.

FWIW the potential exploit should not prove to be a problem unless you receive and process source content unchecked from external sources. I believe the patterns in source that would be needed to cause these problems are somewhat specific and unusual.

@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/marked-0.3.18 branch from 7ab94da to 66b26eb Compare January 18, 2021 16:26
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/marked-0.3.18 branch from 66b26eb to bdb3c32 Compare June 1, 2021 20:09
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/marked-0.3.18 branch from bdb3c32 to 06b680a Compare June 11, 2021 19:37
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/marked-0.3.18 branch 2 times, most recently from 8c7f185 to 085bcb6 Compare July 16, 2021 21:33
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/marked-0.3.18 branch 5 times, most recently from 44ffc28 to 4ec0272 Compare July 23, 2021 19:40
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/marked-0.3.18 branch 4 times, most recently from 446b93e to c2c276c Compare August 17, 2021 20:46
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/marked-0.3.18 branch 2 times, most recently from e1fc813 to 5f1310b Compare August 27, 2021 20:38
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/marked-0.3.18 branch from 5f1310b to 6d8dc53 Compare September 7, 2021 20:13
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/marked-0.3.18 branch 3 times, most recently from 1c028e7 to a2b629f Compare September 17, 2021 20:06
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/marked-0.3.18 branch 3 times, most recently from 76c1bf7 to fffa4af Compare September 28, 2021 18:59
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/marked-0.3.18 branch 2 times, most recently from b976565 to aac3e89 Compare October 5, 2021 20:29
@dependabot
Bump marked from 0.3.9 to 0.3.18
edae829 
Bumps [marked](https://github.com/markedjs/marked) from 0.3.9 to 0.3.18.
- [Release notes](https://github.com/markedjs/marked/releases)
- [Commits](markedjs/marked@0.3.9...v0.3.18)

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/marked-0.3.18 branch from aac3e89 to edae829 Compare December 8, 2021 00:06
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Jan 15, 2022

Superseded by #35.

@dependabot dependabot bot closed this Jan 15, 2022
@dependabot dependabot bot deleted the dependabot/npm_and_yarn/marked-0.3.18 branch January 15, 2022 01:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Simran-B @grant-g