Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Npm audit security report shows marked library security vulnerability #101

Open
jarrodek opened this issue Apr 19, 2019 · 3 comments
Open

Npm audit security report shows marked library security vulnerability #101

jarrodek opened this issue Apr 19, 2019 · 3 comments

Comments

@jarrodek
Copy link

The result of running npm audit command on any of hundreds of my components:

                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ marked                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.6.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @polymer/iron-component-page [dev]                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @polymer/iron-component-page > @polymer/iron-doc-viewer >    │
│               │ @polymer/marked-element > marked                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/812                             │
└───────────────┴──────────────────────────────────────────────────────────────┘

I also use this element directly, not only through iron-component-page.

I tried to fork the repo and upgrade the version but tests fails. I am not sure what was intention so I will leave it up to you to fix this. I hope it can be fixed as my security team will definitely notice alerts very soon :)
@stramel
Copy link
Collaborator

stramel commented Apr 19, 2019

I will take a look at upgrading and discuss with the Polymer team about what the plan is for this. It appears there are breaking changes between 0.3 and 0.6.

@jarrodek
Copy link
Author

Any update on this?

@navalamol
Copy link

Vulnerability for nested package "marked" has been resolved in the upgrade version.

For more information -
https://snyk.io/test/npm/@polymer/marked-element
https://snyk.io/test/npm/marked/4.0.12

Team, can you please check if this can be upgraded. It should resolve almost all vulnerabilities.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@stramel @jarrodek @navalamol