Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove dependency on string@3.3.3 which has a security vulnerability (ReDos) #29

Closed
lgodmer opened this issue Jun 29, 2018 · 2 comments
Closed

Remove dependency on string@3.3.3 which has a security vulnerability (ReDos) #29

lgodmer opened this issue Jun 29, 2018 · 2 comments

Comments

@lgodmer
Copy link

lgodmer commented Jun 29, 2018

There is a security vulnerability in string@3.3.3 which causes it to be flagged by tools like snyk.
jprichardson/string.js#212

The vulnerable methods in string@3.3.3 are not used by this project, however it still causes warnings from automated tooling. The issue has been discussed in the string.js repo for over 6 months and there is no traction there on a fix.

Consider switching to slugify (https://www.npmjs.com/package/slugify) instead, which does not have any open security vulnerabilities.
@martinlissmyr martinlissmyr mentioned this issue Jun 30, 2018
Merged
@martinlissmyr
Copy link
Collaborator

Fixed by https://github.com/Oktavilla/markdown-it-table-of-contents/releases/tag/v0.4.0 ... Thanks!

@lgodmer
Copy link
Author

lgodmer commented Jul 2, 2018

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@martinlissmyr @lgodmer