Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm audit : "Moderate: Regular Expression Denial of Service" #95

Closed
sanori opened this issue Apr 22, 2019 · 6 comments
Closed

npm audit : "Moderate: Regular Expression Denial of Service" #95

sanori opened this issue Apr 22, 2019 · 6 comments

Comments

@sanori
Copy link

sanori commented Apr 22, 2019

due to the dependency of marked 0.6.1.
@sanori sanori changed the title npm audit : "Regular Expression Denial of Service" npm audit : "Moderate: Regular Expression Denial of Service" Apr 22, 2019
@tomap
Copy link
Contributor

tomap commented Apr 23, 2019

Hi, we depend on Marked ^0.6.1 => automatically updated to ^0.6.2 https://david-dm.org/hexojs/hexo-renderer-marked
Where is the issue?

@sanori
Copy link
Author

sanori commented Apr 23, 2019
edited

When I run npm audit in my hexo directory, several security reports are provided.
One of the report is as follows:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ marked                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.6.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ hexo-renderer-marked                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ hexo-renderer-marked > marked                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/812                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

I agree with your assumption that npm may install updated version of marked which is fixed the problem. But, I got the above report from npm and I left this issue.

@yoshinorin
Copy link
Member

yoshinorin commented Apr 24, 2019
edited

@sanori
Thank you for your report :)
We already upgrade to marked 6.x at #87. And it's already merged into the current master branch.

But, not yet released a new version. Would you please wait a new release?
Thanks :)

@yoshinorin
Copy link
Member

@sanori
PS. Please execute below command if you want to use the current master branch

npm install https://github.com/hexojs/hexo-renderer-markdown-it#master

@JLHwung
Copy link
Contributor

JLHwung commented May 10, 2019

A update:

hexo-renderer-marked@1.0.0 is just published, install the latest version now

npm install hexo-renderer-marked

@JLHwung JLHwung closed this as completed May 10, 2019
@sanori
Copy link
Author

sanori commented May 11, 2019

I confirmed that npm install hexo-renderer-marked@1.0.0 resolved the vulnerability alert.
Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tomap @JLHwung @sanori @yoshinorin