Markdown-to-jsx, a lightweight and configurable library for converting Markdown to JSX, has a new version: 6.11.4. Compared to the previous stable version, 6.11.3, the core functionality remains the same, providing developers with an easy way to render Markdown content within React and React-like projects. Both versions share identical dependencies, including unquote and prop-types, and boast a comprehensive suite of development dependencies for testing, linting, and building, such as jest, eslint, webpack, and various Babel presets and plugins. This indicates a strong emphasis on code quality and maintainability.
While the dependency lists and core features are consistent, the key difference lies in the distribution files. Version 6.11.4 has a slightly larger unpacked size of 251429 bytes compared to 6.11.3's 251041 bytes, a change in the distribution archive, which might include minor bug fixes, performance improvements, or documentation updates; however this does not imply any notable change to the user. Most user would benefit from taking the newest version of the library with enhanced security and latest fixes.
Developers already using markdown-to-jsx likely won't notice major differences in upgrading, but should always prefer the latest version. New users can rely on either version for basic usage, while choosing the newest version can bring some potential updates. The library's MIT license, GitHub repository, and consistent developer tooling suggest a commitment to open source principles and community support. The peer dependency on React (>= 0.14.0) emphasizes its compatibility with a broad range of React projects.
All the vulnerabilities related to the version 6.11.4 of the package
Cross site scripting in markdown-to-jsx
Versions of the package markdown-to-jsx before 7.4.0 are vulnerable to Cross-site Scripting (XSS) via the src property due to improper input sanitization. An attacker can execute arbitrary code by injecting a malicious iframe element in the markdown.
