React-styleguidist: High Severity Security Vulnerability: markdown-to-jsx
There is currently a high severity security vulnerability in the markdown-to-jsx package used by Styleguidist.
https://npmjs.com/advisories/1219
All versions of simple-markdown are vulnerable to Cross-Site Scripting. Due to insufficient input sanitization the package may render output containing malicious JavaScript. This vulnerability can be exploited through input of links containing data or VBScript URIs and a base64-encoded payload.
This vulnerability is now preventing our company from using Styleguidist to document components, as we run npm audit to ensure that our codebase is secure.
kybradeck
All 4 comments
Yes. We do have same problem and vulnerable packages are not allowed as per company policy.
gbhasha
on 21 May 2020
Snyk Report : https://snyk.io/test/npm/[email protected]
gbhasha
on 21 May 2020
Feel free to send a pull request with a fix.
sapegin
on 25 May 2020
It appears that this has been resolved: https://github.com/probablyup/markdown-to-jsx/issues/306#issuecomment-633737154 and the package maintainers are just waiting on npm to approve that the vulnerability has been patched.
I've opened a PR to update the markdown-to-jsx version here: https://github.com/styleguidist/react-styleguidist/pull/1599
kybradeck
on 26 May 2020
Related issues
stcherenkov
路
3Comments
lyz810
路
3Comments
okonet
路
3Comments
davidjb
路
3Comments
crobinson42
路
3Comments
Most helpful comment
It appears that this has been resolved: https://github.com/probablyup/markdown-to-jsx/issues/306#issuecomment-633737154 and the package maintainers are just waiting on npm to approve that the vulnerability has been patched.
I've opened a PR to update the
markdown-to-jsxversion here: https://github.com/styleguidist/react-styleguidist/pull/1599