Marked: Github says that marked has potential security vulnerabilities

Created on 4 Jan 2018  路  6Comments  路  Source: markedjs/marked

Hello.
I want to inform that I see notifications about potential security vulnerabilities in https://github.com/chjj/marked which is dependency of some dependency of my library.
Here is links to vulnerabilities description:
https://nvd.nist.gov/vuln/detail/CVE-2017-1000427
https://nvd.nist.gov/vuln/detail/CVE-2017-17461

image

picture RusinovAnton
👍12

Most helpful comment

@hamzahamidi: Yes, to the best of our knowledge the XSS vulnerabilities have been fixed. However, I'm not sure what all tools exist to help us (the maintainers) verify for certain. I will defer to @matt- and @UziTech as well because I'm more the coordinator and releaser (see #956).

If any of you know how to check for certain, or how to fix other vulnerabilities we may not be aware of, please let us know or submit a PR.

I will be closing this issue for now. Please feel free to continue the conversation. And, as always, please submit PRs and issues. Thank you!

picture joshbruce on 5 Jan 2018
👍2

All 6 comments

Does updating to the latest release fix the issue ?

hamzahamidi picture hamzahamidi on 5 Jan 2018

Does updating to the latest release fix the issue ?

I guess it should, as the 0.3.9 release mentions:

We think with this version we have addressed most, if not all, known security vulnerabilities. If you find more, please let us know.

frederikprijck picture frederikprijck on 5 Jan 2018
👍2

@frederikprijck
sure some dependency haven't updated it yet. I should open issue there first. 馃檮

RusinovAnton picture RusinovAnton on 5 Jan 2018

Yep, it looks like some packages need to update their version.

frederikprijck picture frederikprijck on 5 Jan 2018

@hamzahamidi: Yes, to the best of our knowledge the XSS vulnerabilities have been fixed. However, I'm not sure what all tools exist to help us (the maintainers) verify for certain. I will defer to @matt- and @UziTech as well because I'm more the coordinator and releaser (see #956).

If any of you know how to check for certain, or how to fix other vulnerabilities we may not be aware of, please let us know or submit a PR.

I will be closing this issue for now. Please feel free to continue the conversation. And, as always, please submit PRs and issues. Thank you!

joshbruce picture joshbruce on 5 Jan 2018
👍2

As far as I know we fixed all of the open XSS vulnerabilities in v0.3.9

UziTech picture UziTech on 5 Jan 2018
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

samit4me picture samit4me  路  3Comments
UziTech picture UziTech  路  4Comments
raguay picture raguay  路  4Comments
gclove picture gclove  路  4Comments
cusalvi picture cusalvi  路  3Comments