The marked npm package, a popular choice for fast and accurate Markdown parsing, saw a minor version bump from 4.0.3 to 4.0.4. While both versions share the same core description and license (MIT), several key dependency updates and internal changes differentiate them, impacting developers directly.
Version 4.0.4 includes an updated rollup devDependency, moving from version 2.59.0 to 2.60.0 along with bump to the node-fetch dependency going from 3.0.0 to 3.1.0 and eslint-plugin-import updated from 2.25.2 to 2.25.3.
Subtle variations reflect underlying build process modifications, which could lead to improved optimization and developer experience. These development dependency improvements usually offer a better environment for contributing to the project.
The dist object also reveals differences between the two versions in file size. Though both have 20 files, the unpacked size changed between the releases, moving from 394,644 bytes to 394,786 bytes. These changes, while minor, might reflect internal codebase changes, potentially enhancing parsing performance and accuracy. Release dates also differ, version 4.0.4 being released on November 19, 2021, while its predecessor was released on November 13, 2021.
For developers using marked, these incremental updates represent continued refinement and maintenance of the library. While the API remains consistent, staying up-to-date ensures benefiting from the latest bug fixes, performance upgrades, and security patches. Developers should consider upgrading to version 4.0.4 to leverage these improvements.
All the vulnerabilities related to the version 4.0.4 of the package
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from 'marked';
console.log(marked.parse(`[x]: x
\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from "marked";
marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: