Update meta-marked to latest version

Meta-marked 0.4.4 which we used from our git repository contains a RegexDOS attack in the marked dependency. The dependency was already updated in our meta-marked repository, but not updated in yarn. This made us still vulnerable to this ReDOS which was able to cause a DOS attack on the server when updating a note. For Details: https://github.com/markedjs/marked/releases/tag/v0.7.0 markedjs/marked#1515 What is a ReDOS? A ReDOS attack is a DOS attack where an attacker targets a not-well-written Regular Expression. Regular expressions try to build a tree of all possibilities it can match in order to figure out if the given statement is valid or not. A ReDOS attack abuses this concept by providing a statement that doesn't match but causes extremly huge trees that simply lead to exhausting CPU usage. For more details see: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS Credit: Huge thanks to @bitinerant for finding this and handling it with a responsible disclosure. Also thanks to the `marked`-team for fixing things already. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
hedgedoc · Aug 15, 2019 · c4053ea · c4053ea
1 parent 57cfbcb
commit c4053ea
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 10 deletions.
diff --git a/package.json b/package.json
@@ -82,7 +82,7 @@
     "mathjax": "~2.7.0",
     "mattermost": "^3.4.0",
     "mermaid": "~8.2.3",
-    "meta-marked": "git+https://github.com/codimd/meta-marked#semver:^0.4.2",
+    "meta-marked": "git+https://github.com/codimd/meta-marked#semver:^0.4.5",
     "method-override": "^2.3.7",
     "minimist": "^1.2.0",
     "minio": "^6.0.0",
@@ -193,8 +193,8 @@
     "mocha": "^5.2.0",
     "mock-require": "^3.0.3",
     "optimize-css-assets-webpack-plugin": "^5.0.0",
-    "sequelize-cli": "^5.4.0",
     "script-loader": "^0.7.2",
+    "sequelize-cli": "^5.4.0",
     "string-loader": "^0.0.1",
     "style-loader": "^0.21.0",
     "uglifyjs-webpack-plugin": "^1.2.7",

diff --git a/yarn.lock b/yarn.lock
@@ -7590,10 +7590,10 @@ markdown-table@^1.1.0:
   resolved "https://registry.yarnpkg.com/markdown-table/-/markdown-table-1.1.3.tgz#9fcb69bcfdb8717bfd0398c6ec2d93036ef8de60"
   integrity sha512-1RUZVgQlpJSPWYbFSpmudq5nHY1doEIv89gBtF0s4gW1GF2XorxcA/70M5vq7rLv0a6mhOUccRsqkwhwLCIQ2Q==
 
-marked@~0.6.2:
-  version "0.6.2"
-  resolved "https://registry.yarnpkg.com/marked/-/marked-0.6.2.tgz#c574be8b545a8b48641456ca1dbe0e37b6dccc1a"
-  integrity sha512-LqxwVH3P/rqKX4EKGz7+c2G9r98WeM/SW34ybhgNGhUQNKtf1GmmSkJ6cDGJ/t6tiyae49qRkpyTw2B9HOrgUA==
+marked@~0.7.0:
+  version "0.7.0"
+  resolved "https://registry.yarnpkg.com/marked/-/marked-0.7.0.tgz#b64201f051d271b1edc10a04d1ae9b74bb8e5c0e"
+  integrity sha512-c+yYdCZJQrsRjTPhUx7VKkApw9bwDkNbHUKo1ovgcfDjb2kc8rLuRbIFyXL5WOEUwzSSKo3IXpph2K6DqB/KZg==
 
 math-interval-parser@^1.1.0:
   version "1.1.0"
@@ -7769,12 +7769,12 @@ messageformat@^0.3.1:
     nopt "~3.0.6"
     watchr "~2.4.13"
 
-"meta-marked@git+https://github.com/codimd/meta-marked#semver:^0.4.2":
-  version "0.4.4"
-  resolved "git+https://github.com/codimd/meta-marked#04fd9775b38566e41b71e3e63bd78717d3eb4445"
+"meta-marked@git+https://github.com/codimd/meta-marked#semver:^0.4.5":
+  version "0.4.5"
+  resolved "git+https://github.com/codimd/meta-marked#30852d0efa633418865df179f5956cd3df0fd0b3"
   dependencies:
     js-yaml "~3.13.1"
-    marked "~0.6.2"
+    marked "~0.7.0"
 
 method-override@^2.3.7:
   version "2.3.10"