-
-
Notifications
You must be signed in to change notification settings - Fork 713
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remarkable Dependency Vulnerability #156
Comments
For those still affected, I've been able to get around this by adding an override to my package.json. deps.dev was a huge help to figuring out the dependency chain and that versions higher than autolinker>=0.2.1 is not vulnerable, but v4.0.0 seems to work fine for me. I even cloned the markdown-toc repo, added this fix, and ran its test. They pass!
I have a pending fix here #195. @KarinBlanford , @jonschlinkert , @doowb |
fixes https://github.com/slsa-framework/slsa-verifier/security/code-scanning/11 markdown-toc's latest v1.2.0 is still vulnerable via a transitive dependency, but hasn't received updates in a long time. This PR overrides one of the other transitive dependencies to a non-vulnerable version. more info here jonschlinkert/markdown-toc#156 (comment) # Testing process - Manually invoked `make markdown-toc` and it did succeed, while also adding a missing header in the README. - Made a few typos in the headers and markdown-toc did fix them. - Cloned markdown-toc, added the override, and its unit tests passed --------- Signed-off-by: Ramon Petgrave <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]>
The dependency Remarkable has been updated to use autolinker v3.0.0+ as there was a DOS vulnerability in autolinker v0.28.1 (https://snyk.io/vuln/SNYK-JS-AUTOLINKER-73494).
Updating Remarkable to v2.0.0+ will resolve the issue.
Old - https://github.com/jonschlinkert/remarkable/blob/v1.7.4/package.json#L66
New - https://github.com/jonschlinkert/remarkable/blob/v2.0.0/package.json#L81
Currently unable to install markdown-toc due to older version of autolinker being quarantined on corporate npm registry.
The text was updated successfully, but these errors were encountered: