Skip to content

Upgrade commonmark to avoid minor vulnerability #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rpokorny wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Upgrade commonmark to avoid minor vulnerability #1

rpokorny wants to merge 6 commits into from

Conversation

@rpokorny
Copy link

@rpokorny rpokorny commented Jan 4, 2021
edited
Loading

commonmark 0.27.0 has a denial-of-service vulnerability in the form of some inefficient parsing that takes quadratic time, as documented here: commonmark/commonmark.js#172

This was fixed in commonmark 0.29.1, so this PR upgrades to that version. Running the tests locally they pass without further changes.

At the moment, this PR should be considered a work in progress as it has an installation warning due to the new version of commonmark not matching the peerDependencies spec of commonmark-react-renderer. I have opened a PR in that project as well that should fix that issue, and this PR is dependent on that one: rexxars/commonmark-react-renderer#42 .

@rpokorny
Copy link
Author

rpokorny commented Jan 4, 2021
edited
Loading

Just noticed that this repo uses yarn, while I was installing with npm. I'll update the PR shortly.

Edit: done

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rpokorny