chore(dgeni): update to latest dgeni and dgeni-packages #17141
Conversation
- from: 389 vulnerabilities found - Severity: 259 Low | 28 Moderate | 98 High | 4 Critical - to: 300 vulnerabilities found - Severity: 189 Low | 28 Moderate | 79 High | 4 Critical - `errorOnUnmatchedLinks` used to pass but it no longer does, this is likely because of the failure of the markdown renderer to function
|
This appears to be caused only by the update to |
|
I wrote up the issue that I was able to isolate a bit better via this PR in angular/dgeni-packages#310. |
|
I've opened markedjs/marked#2085 for this as well. |
- this adds 1 High severity advisory back in by pinning at `marked@0.3.6` - 301 vulnerabilities found - Severity: 189 Low | 28 Moderate | 80 High | 4 Critical - in reality, there are many serious security issues with this old version of `marked` - but our docs don't render with the newer versions due to angular/dgeni-packages#310 - another downside is that this forces `firebase-tools` to use an old, vulnerable version of marked for parsing console output
|
Even with the concerns above, this now fixes 88 High and Low severity vulnerabilities without breaking rendering of markdown in the docs. |
| @@ -106,7 +105,8 @@ | |||
| "//2": "(E.g. see https://github.com/gulpjs/gulp/issues/2162 and https://github.com/nodejs/node/issues/25132.)", | |||
| "natives": "1.1.6", | |||
| "//3": "`graceful-fs` needs to be pinned to support gulp 3, on Node v12+", | |||
| "graceful-fs": "^4.2.3" | |||
| "graceful-fs": "^4.2.3", | |||
| "marked": "0.3.6" | |||
There was a problem hiding this comment.
Rather than pinning marked we should just fix the docs to be CommonMark compliant.
There was a problem hiding this comment.
OK, I wasn't sure that was something that we were open to doing. I'll look into it.
|
Closing in favor of #17163 at Pete's suggestion. |
AngularJS is in LTS mode
We are no longer accepting changes that are not critical bug fixes into this project.
See https://blog.angular.io/stable-angularjs-and-long-term-support-7e077635ee9c for more detail.
Does this PR fix a regression since 1.7.0, a security flaw, or a problem caused by a new browser version?
Yes
What is the current behavior? (You can also link to an open issue here)
What is the new behavior (if this is a feature change)?
Does this PR introduce a breaking change?
No.
See the broken markdown rendering screen shots at the enderrorOnUnmatchedLinksused to pass but it no longer does, this is likely because of thefailure of the markdown renderer to function
Please check if the PR fulfills these requirements
Other information:
Before
After
This same problem was observed in AngularJS Material in PR angular/material#11881.
Fixed rendering in a 2nd commit
chore(dgeni): fix rendering of docs markdown
marked@0.3.6markedRegression: since 0.28.0, marked filter does not render markdown in HTML blocks dgeni-packages#310
firebase-toolsto use an old, vulnerableversion of marked for parsing console output