Marked version 2.0.3 represents a minor update over its predecessor, version 2.0.2, in the ongoing evolution of this popular and speedy Markdown parser. Both versions share the same core set of development dependencies, indicating a consistent tooling and testing environment. This includes libraries like ESLint for code linting, Rollup for bundling, and Jasmine for unit testing, ensuring code quality and maintainability are prioritized. The inclusion of semantic-release and its plugins signifies a commitment to automated release management and adherence to semantic versioning principles.
While the devDependencies remain identical, a key difference lies in the dist section. Version 2.0.3 shows a slightly larger unpackedSize (286752 bytes) compared to 2.0.2 (286676 bytes), suggesting minor additions or adjustments to the codebase. This slight size increase, along with a newer releaseDate, signals that version 2.0.3 likely contains bug fixes, performance improvements, or very small new features that improve the overall stability and function of the library.
For developers, this incremental update signifies a focus on continuous improvement. The unchanged dev dependencies mean that existing workflows and integration strategies remain effective, and upgrading from 2.0.2 is likely to be a straightforward process. Given the identical license, repository details, and author, developers can maintain confidence in the project's open-source nature and governance. For those seeking the most up-to-date and potentially more refined version, opting for 2.0.3 is advisable to benefit from the latest enhancements.
All the vulnerabilities related to the version 2.0.3 of the package
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from 'marked';
console.log(marked.parse(`[x]: x
\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from "marked";
marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: