Marked version 0.7.0 represents a minor update to the popular "marked" markdown parser, building upon the foundation of version 0.6.3. Both versions share the same core description: a markdown parser built for speed. The developer dependencies remain identical, preserving the ecosystem of tools used for development, testing, and code quality, including linters (eslint) and testing frameworks (jasmine). This consistency implies that the underlying development workflow hasn't undergone significant changes.
The key difference lies in the dist object, which provides information about the packaged version. Specifically, version 0.7.0 exhibits a slightly larger unpacked size (83919 bytes) compared to 0.6.3 (82379 bytes). The tarball URL also reflects the version change. This size difference, though not substantial, suggests that version 0.7.0 includes additional features, bug fixes, or optimizations that contributed to an increment in the package size. Furthermore, the release date indicates that version 0.7.0 was published on 2019-07-06, a short time after 0.6.3 was published on 2019-06-30.
For developers using "marked", migrating from 0.6.3 to 0.7.0 should be relatively straightforward due to the unchanging set of development dependencies. The update likely involves resolving minor bugs, enhancing performance, or introducing small feature additions. This incremental update makes it an easily adoptable version for a more consistent experience. While the change log needs to be consulted for full details of the update, the basic information indicates a solid, potentially optimized markdown solution.
All the vulnerabilities related to the version 0.7.0 of the package
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from 'marked';
console.log(marked.parse(`[x]: x
\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from "marked";
marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: