Security vulernability reported on Snyk #89
Comments
|
Thanks @mschipperheyn it looks like the vulnerability is through remarkable jonschlinkert/remarkable#310 and there's a pull request with a fix. Hopefully that gets merged soon and we can update our remarkable dependency :) |
|
@Rosey It appears that @jonschlinkert isn't ever interested in fixing this problem. Is there another library you could use instead of remarkable? I am willing to attempt a PR. |
|
Hmm I chose remarkable because it has really great support for custom markdown options (eg designing your own markdown syntax for things like mentions) which I wasn't able to find with other tools. If you know of another markdown parser that is equally flexible then it could be possible to switch 🙂 I suppose another option is to fork remarkable and patch the vulnerabilities and use that fork instead of the original 😓 |
|
I’m with you. I like the library and in fact, I offered a PR to the author that met his initial request of ripping out argparse and replacing it with another library he’d identified. He decided not to accept that PR (or any of the many others from other authors that followed.) I can only assume that he is either trying to make a point, not interested in upkeep on this project or is working on a major re-write or something that obviates these changes.
This package seems really popular and well maintained. I haven’t looked at custom syntax.
/~https://github.com/markedjs/marked
From: Rose <notifications@github.com>
Reply-To: Rosey/markdown-draft-js <reply@reply.github.com>
Date: Monday, June 10, 2019 at 12:14 PM
To: Rosey/markdown-draft-js <markdown-draft-js@noreply.github.com>
Cc: jdalegonzalez <dale.gonzalez@gmail.com>, Comment <comment@noreply.github.com>
Subject: Re: [Rosey/markdown-draft-js] Security vulernability reported on Snyk (#89)
Hmm I chose remarkable because it has really great support for custom markdown options (eg designing your own markdown syntax for things like mentions) which I wasn't able to find with other tools. If you know of another markdown parser that is equally flexible then it could be possible to switch 🙂
I suppose another option is to fork remarkable and patch the vulnerabilities and use that fork instead of the original 😓
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
|
If you did indeed do what you're saying, my apologies, I didn't ignore the PR intentionally. I would love to merge it and get rid of these issues. Can you link to the pr? |
|
… On Thu, Jun 13, 2019 at 6:52 PM Jon Schlinkert ***@***.***> wrote:
I’m with you. I like the library and in fact, I offered a PR to the
author that met his initial request of ripping out argparse and replacing
it with another library he’d identified.
If you did indeed do what you're saying, my apologies, I didn't ignore the
PR intentionally. I would love to merge it and get rid of these issues.
Can you link to the pr?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#89?email_source=notifications&email_token=AALHVBENMRJVVA4EIV7NNRLP2LFRPA5CNFSM4GHWQNF2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODXVH2DI#issuecomment-501906701>,
or mute the thread
</~https://github.com/notifications/unsubscribe-auth/AALHVBH6FHTPLHVNM6PZUDTP2LFRPANCNFSM4GHWQNFQ>
.
|
|
#104 Updates to the latest version of remarkable which resolves 2 out of 3 security alerts on snyk. |
|
Is the third one comes from remarkable too? |
|
Ah, I see. It comes from autolinker. That dependency is evaluated a lot. I'm not sure it's safe to upgrade it in patch version. I will publish major bump soon. It will include autolinker upgrade. |
|
Thanks so much @TrySound for knocking out that last one 🙂 https://snyk.io/test/npm/markdown-draft-js/2.0.0 I think we're all clear (for now at least 🙃 ) did a major release bump for this one since the remarkable dependency was major and I didn't want to risk any backwards compatibility issues. However I don't think there should be any. edit: Actually I'm glad I did major. I have a project with Webpack that also required remarkable separately from markdown-draft-js and was still using an older version of remarkable when I first updated markdown-draft-js. Webpack tried to reconcile the two dependencies and hit problems until I upgraded the main remarkable dependency as well. So beware if you're on Webpack and in a similar situation as myself 🙂 |
I'm not sure if you guys are aware of this:
https://snyk.io/test/npm/markdown-draft-js/1.3.0
reports a security vulnerability on Snyk. It can be solved by upgrading the
underscore.stringdependency.The text was updated successfully, but these errors were encountered: