New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: vuln in markdown > markdown-it #255
fix: vuln in markdown > markdown-it #255
Conversation
I believe this is already fixed in the |
@nschonni What is the next branch? I'm having trouble resolving my |
Apologies, I was mixing this up with https://github.com/DavidAnson/markdownlint that uses that branching setup and was recently patched for this |
package-lock.json
Outdated
@@ -1,7484 +1,8 @@ | |||
{ | |||
"name": "markdownlint-cli", | |||
"version": "0.30.0", | |||
"lockfileVersion": 2, | |||
"lockfileVersion": 1, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure the package lock version should be downgraded, although it is "better" because Node 12 still ships with NPM 6
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh my apologies. Let me get my nvm up and running to be able to fix this.
For everything else I do, I'm still using node 14 (which comes with NPM 6)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nschonni Ok take another look. I re-ran with node 16 and the diffs look much better
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like this project is inconsistent between tilde and caret, but why did you change that as part of this pull request?
@DavidAnson I tried running |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
Is there to be a corresponding release? |
Upcoming. This tends to be the last markdownlint project I update because it has the biggest reach and I'd like to find any issues with the smallest audience. Probably in a couple of weeks. |
Just to be curious, why fixing |
I do not understand. This commit updates to the latest markdownlint library version. |
@Mister-Hope |
I‘m talking about this Library is fixing version(I.e. “x.y.z”) not ”~x.y.z” or “^x.y,z”, can’t we let users to install newer deps without waiting for a release? I may have “markdown-it” used in other tools(e.g. a doc generator), and I would like it to have the newest version of all time, instead of fixing to a version because of this package in devDeps in some situations. Wait, I think I got it, markdownlint is actually the one which fix the version right? @DavidAnson |
I have had to fix more CI breaks due to (improper) patch-level changes and spent more hours dealing with malicious patch-level packages than I think I have gained from automatic patch-level updates because of loose versioning. It also seems problematic that the bits someone runs depends on the day of the week they installed the package. That's a recipe for mysterious bugs and hard-to-find problems. I know my decision to use explicit package versions does not solve this problem for the ecosystem, but I felt that it was the more sensible approach. |
@Mister-Hope I posted more about my thinking here: https://twitter.com/davidans/status/1484626749950283777?s=21 |
Pulls in fix to update vuln in markdown-it
I just ran
npm audit fix
DavidAnson/markdownlint@v0.25.0...v0.25.1