security vulnerabilities in marked package
imjuni opened this issue · 5 comments
Hi, my development environment and github repo. show security vulnerability issue below,
environment
- win32, macosx
- npm 8.11.0
- node 16.16.0
issue
marked-terminal latest version is 5.1.1. It have a something migration issue?
It looks like your version of just-scripts is outdated. Try updating that first.
Hello @ecraig12345 is there any chance someone could revisit this and bump marked-terminal soon? It's creating issues in my team and a large number of dependencies we rely on.
Thanks a bunch.
This is fixed now (published as just-scripts-utils@1.2.1 and just-scripts@2.1.1), but there are a couple of things that I think are important to understand about this situation as it relates to evaluating security alerts in general.
First is that in practice, the impact of "inefficient regular expression complexity" or "regular expression denial of service" vulnerabilities on build tools is pretty low, since the worst thing that could happen is hanging builds (and temporarily reducing productivity while the issue is investigated). They're mainly a concern in the context of web servers, where they could cause denial of service. This is one of the things that makes the npm audit system a lot less useful: it has no way to understand the usage target of a package and downgrade or remove alerts that don't apply, or to allow consuming package owners to mark alerts which don't apply to their usage.
Second is that ironically, after digging into the code, I realized this issue actually had zero possible impact on just-scripts or just-task: the only function using marked or marked-terminal is prettyPrintMarkdown, which is no longer used anywhere (either in just packages, or in fact even anywhere on GitHub besides outdated just forks). So I'm going to make another change removing that function and related deps.
Thank you @ecraig12345 !