Showdown is a widely-used JavaScript library that converts Markdown text into HTML. Versions 1.8.6 and 1.8.5 are both stable releases of this tool, offering developers a reliable way to integrate Markdown parsing into web applications and other projects. Examining the package data reveals that the core dependencies and development dependencies remain consistent between the two versions. Both rely on yargs for command-line argument parsing, illustrating the library's utility in command-line interfaces. The extensive list of devDependencies, including tools like chai for testing, grunt for task automation, and eslint for code linting, underscores the project's commitment to code quality and maintainability.
The primary distinction lies in the release date. Version 1.8.6 was published on December 22, 2017, while version 1.8.5 was released on December 10, 2017. This suggests that version 1.8.6 likely includes bug fixes, minor enhancements, or dependency updates that were addressed after the release of 1.8.5. While the absence of specific change logs in the provided data makes it impossible to pinpoint the exact modifications, developers should generally favor the later version (1.8.6) to leverage the latest improvements and potential security patches. The library's BSD-3-Clause license allows for flexible usage in various projects, and the linked GitHub repository provides a valuable resource for issue tracking, contributions, and more detailed information about the changes between versions which is ideal for developers wanting to deep dive into it.
All the vulnerabilities related to the version 1.8.6 of the package
Reverse Tabnabbing in showdown
Versions of showdown prior to 1.9.1 are vulnerable to Reverse Tabnabbing. The package uses target='_blank' in anchor tags, allowing attackers to access window.opener for the original page when opening links. This is commonly used for phishing attacks.
Upgrade to version 1.9.1 or later.
Regular Expression Denial of Service (ReDoS) in cross-spawn
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Denial of Service in mem
Versions of mem prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its maxAge property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.
Upgrade to version 4.0.0 or later.
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
