New release - marked vulnerability alert

[noraj]

It would be nice to have a new release of dosify including the current work.

Indeed, last release is v4.13.1 from Jun 24, 2023. What's annoying is that docsify v4.13.1 was using marked v1.2.9

docsify/package.json

Line 68 in 862b100

"marked": "^1.2.9",

So any project using docsify on github right now, have 3 vulnerability alerts opened:

• GHSA-5v2h-r2cx-5xgj - Inefficient Regular Expression Complexity in marked - CVE-2022-21681
  • ex: https://github.com/noraj/unisec/security/dependabot/5
• GHSA-4r62-v4vq-hr96 - Regular Expression Denial of Service (REDoS) in Marked - CVE-2021-21306
  • ex: https://github.com/noraj/unisec/security/dependabot/3
• GHSA-rrrm-qjm4-v8hf - Inefficient Regular Expression Complexity in marked - CVE-2022-21680
  • ex: https://github.com/noraj/unisec/security/dependabot/4

Even if not really vulnerable, that makes tons of projects receiving 3 false positive vulnerability alerts. And since no newer release is available, one can't "path" other than dismissing the alert.

It's already fixed since now docsify uses marked v14.1.0, we just are lacking a newer release.

https://github.com/docsifyjs/docsify/blob/ceb466ca9c29bec775f4ebda449f8ea40a5453df/package.json#L73C6-L73C13

[Koooooo-7]

Hi @noraj , thx for you mention on this.
The new release may take a time to confirm with the members.
I will sync with you when the release decision set done asap.

[asinghal]

hi, any news on this? it will be good to have the updated dependency for marked published asap.

[sy-records]

Planned release in the near future.