marked dependency is insecure version

[anselmbradford]

https://nvd.nist.gov/vuln/detail/CVE-2017-17461
https://nvd.nist.gov/vuln/detail/CVE-2017-1000427

Suggested update marked ~> 0.3.9.

[thijstriemstra]

Running into same issue, can a new jsdoc be released with a marked 0.3.9?

[wuhanyumsft]

The same issue here.

[Radiergummi]

Hearing the Github announcement of security vulnerability notifications, I've already wondered what it will be if a commonly used dependency of a commonly used dependency has a security problem... here we are, with possibly thousands of projects affected! 😄

[fgm]

A temporary solution can be to add an explicit dependency to marked ~0.3.9 on dependent projects. With Yarn and reasonably recent versions of NPM, a single version of marked will be used and will actually be 0.3.9, which works around the problem.

[Danw33]

@micmath / @hegemonic

[thijstriemstra]

ping @hegemonic, can a maintainer please take a look at this trivial issue that has big implications?

[jy95]

Don't know if the maintainers saw there is a new version of this : v0.3.12

The fun fact is this line of the release :

Addresses issue where some users might not have been able to update due to missing use strict #991

it's worth a try XD

[nyteshade]

3.5.5 still points to a version of marked < 0.3.9. Even if a new version was pushed here with a fix, it wasn't published to npm. Can new version please be published?

[thijstriemstra]

Its been 30 days, no devs respond, is this project dead, devs do not care or both?

[75lb]

this trivial issue that has big implications?

Does it really have big implications? It seems to me there are zero security implications here. Unless you think a hacker, having already compromised a server to a sufficient degree to launch a process, would be firing up a shell looking for command-line tools to exploit. If a villain already hacked his way into a server, why would he be searching for exploits in a command-line tool (like jsdoc), looking for ways to run malicious code? He already compromised the box and can run whatever code he likes.

[Radiergummi]

@75lb this isn't about command line tools. It would be enough for someone to contribute seemingly proper code to a Github project but include a hidden base64 URI somewhere. If that stays unnoticed and the PR is merged in, the next time JSDoc is used to generate the docs, it will include the malicious code. Et voilà, there you have it: Public documentation of a possibly big open source project, compromising all visitors.

[75lb]

@Radiergummi So hackers are now successfully submitting malicious code as PR requests? Knowing the maintainer of the project is an experienced guy, I can't say I'm too worried about that risk, personally.

Anyway, this project has a dependency on marked@~0.3.6 meaning that when you install jsdoc, marked v0.3.17 (the latest version compatible with ~0.3.6) is installed - which has no security issues. I still can't find a security issue here.

[loanlaux]

@75lb People who have installed jsdoc earlier with marked version 0.3.6 (myself for example) don't necessarily get updated running npm install again. I just ran npm audit to check my deps for vulnerability and this jsdoc/marked issue is the only one that stands out as "High risk".

I'm not sure that's the best image for jsdoc, especially given that the only thing to do is to bump the marked version in package.json.

[arnaugm]

Any update on this? The issue seems to be still present.