Remarkable Dependency Vulnerability #156
Comments
|
For those still affected, I've been able to get around this by adding an override to my package.json. deps.dev was a huge help to figuring out the dependency chain and that versions higher than autolinker>=0.2.1 is not vulnerable, but v4.0.0 seems to work fine for me. I even cloned the markdown-toc repo, added this fix, and ran its test. They pass!
I have a pending fix here #195. @KarinBlanford , @jonschlinkert , @doowb |
This was referenced Jun 28, 2024
ramonpetgrave64
added a commit
to slsa-framework/slsa-verifier
that referenced
this issue
Aug 13, 2024
fixes https://github.com/slsa-framework/slsa-verifier/security/code-scanning/11 markdown-toc's latest v1.2.0 is still vulnerable via a transitive dependency, but hasn't received updates in a long time. This PR overrides one of the other transitive dependencies to a non-vulnerable version. more info here jonschlinkert/markdown-toc#156 (comment) # Testing process - Manually invoked `make markdown-toc` and it did succeed, while also adding a missing header in the README. - Made a few typos in the headers and markdown-toc did fix them. - Cloned markdown-toc, added the override, and its unit tests passed --------- Signed-off-by: Ramon Petgrave <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The dependency Remarkable has been updated to use autolinker v3.0.0+ as there was a DOS vulnerability in autolinker v0.28.1 (https://snyk.io/vuln/SNYK-JS-AUTOLINKER-73494).
Updating Remarkable to v2.0.0+ will resolve the issue.
Old - https://github.com/jonschlinkert/remarkable/blob/v1.7.4/package.json#L66
New - https://github.com/jonschlinkert/remarkable/blob/v2.0.0/package.json#L81
Currently unable to install markdown-toc due to older version of autolinker being quarantined on corporate npm registry.
The text was updated successfully, but these errors were encountered: