Marked versions 4.0.0 and 3.0.8 are both markdown parsers designed for speed, but version 4.0.0 introduces several updates and refinements that developers should be aware of. The most immediately noticeable difference is the increased unpacked size, going from 309KB in version 3.0.8 to 399KB in version 4.0.0. This implies the addition of new features, more comprehensive code, or potentially improved performance optimizations.
Looking at the devDependencies, we can observe upgrades in several packages. @babel/core and @babel/preset-env see version bumps from 7.15.8 to 7.16.0, providing access to newer JavaScript features for development. eslint is upgraded to version 8.1.0 from 8.0.1, benefitting from the latest linting rules and best practices. Crucially, @semantic-release/git moves from version 10.0.0 to 10.0.1, and @rollup/plugin-commonjs from 21.0.0 to 21.0.1, indicating improvements in version control and CommonJS module handling during the build process. eslint-plugin-promise also gets a minor upgrade to 5.1.1 from 5.1.0. These dependency upgrades suggest enhancements in the development workflow, code quality, and possibly the library's compatibility with different environments. For developers using Marked, version 4.0.0 offers a refined and potentially more robust markdown parsing experience. The update can be interesting because of the enhanced toolchain and potential for improved markdown parsing capabilities.
All the vulnerabilities related to the version 4.0.0 of the package
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from 'marked';
console.log(marked.parse(`[x]: x
\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from "marked";
marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: