Vulnerability found while doing hexo-init ( Hexo-cli v2.0.0 )

[navjotjsingh]

Node version 10.16.0
NPM 6.10.2
Hexo 3.9.0
Hexo-cli v 2.0.0

I ran hexo init and got this

INFO Cloning hexo-starter https://github.com/hexojs/hexo-starter.git
Cloning into '/var/www/diary/html'...
remote: Enumerating objects: 77, done.
remote: Total 77 (delta 0), reused 0 (delta 0), pack-reused 77
Unpacking objects: 100% (77/77), done.
Submodule 'themes/landscape' (https://github.com/hexojs/hexo-theme-landscape.git ) registered for path 'themes/landscape'
Cloning into '/var/www/diary/html/themes/landscape'...
remote: Enumerating objects: 44, done.
remote: Counting objects: 100% (44/44), done.
remote: Compressing objects: 100% (34/34), done.
remote: Total 954 (delta 18), reused 19 (delta 8), pack-reused 910
Receiving objects: 100% (954/954), 3.16 MiB | 5.18 MiB/s, done.
Resolving deltas: 100% (506/506), done.
Submodule path 'themes/landscape': checked out '73a23c51f8487cfcd7c6deec96ccc754 3960d350'
INFO Install dependencies
npm WARN deprecated core-js@1.2.7: core-js@<2.6.8 is no longer maintained. Pleas e, upgrade to core-js@3 or at least to actual version of core-js@2.
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.9 (node_modules/fse vents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@ 1.2.9: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"} )

added 340 packages from 501 contributors and audited 6879 packages in 17.555s
found 1 low severity vulnerability
run npm audit fix to fix them, or npm audit for details
INFO Start blogging with Hexo!

On doing npm audit I got this

                 === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ marked │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.7.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ hexo-renderer-marked │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ hexo-renderer-marked > marked │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1076 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 low severity vulnerability in 6879 scanned packages
1 vulnerability requires manual review. See the full report for details.

npm audit fix doesn't work as it requires me to a manual review.

[tomap]

Fixed by hexojs/hexo-renderer-marked#102
Will publish a new version soon

[curbengh]

To be closed once hexo-renderer-marked@2 is released and updated in this repo as well.

[curbengh]

Pending hexojs/hexo#3695

[curbengh]

hexo-renderer-marked@2 has been released and updated in this repo #17.