Potentially vulnerable dependency marked-0.8.2.js

[bhadana-rajesh]

Potentially vulnerable dependency marked-0.8.2.js

Please see markedjs/marked@bd4f8c4

marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service

jsdoc - marked dependency should be upgraded to 1.1.1 or above version.

[dargmuesli]

marked seems to not be used by default anymore: #1243

For JSDoc 3.6.0, we'll add markdown-it and use it by default, but marked will still be available. For JSDoc 3.7.0, marked will be removed.

So you might be able to mute your vulnerability notifications for that.

[pardoman]

Removal of markdown has been proposed back in 2017, see #1413, so I'm not counting on this work landing any time soon.

I was wondering if a simpler approach would be to upgrade the existing marked library version into 1.1.1, given that marked version 1.0.0 is "non-breaking for most users".

I tried looking into making this fix, but gave up after running into the good ol' node-gyp errors, which I'm currently not willing to work through.