Update marked version to 4 to avoid vulnerability

[mrflos]

Feature request

What problem does this feature solve?

The actual dependency on marked version 1.2.9, has a vulnerability of denial of service.
cf. CVE-2022-21681
Dependabot says it will be fixed if using marked >= 4.0.10

What does the proposed API look like?

How should this be implemented in your opinion?

Are you willing to work on this yourself?

I'm not an expert in js but i could try if needed

[juanjoDiaz]

Any reason to not update marked and close the vulnerability?
This has been open for 8 months.

[trusktr]

There's no reason, just no one has gotten to it yet.

It may not be as simple as a version number change in package.json, may require some work, and might be a breaking change (not sure yet, but someone would need to verify it).

Note that the above CVE-2022-21681 has not been a concern. Docsify is typically a statically-served client-side application, so there isn't really anything to DoS. Thus far no one has reported any performance issues (whether by that regex or not).

It is possible someone might be using the experimental and very incomplete SSR (server-side rendering) implementation we had, in which case someone making a lot of requests to someone's SSR'd Docsify site could potentially cause a DoS, but the current version of SSR has since been removed, so DoS is no longer a possibility as we move towards a more modern Docsify.

Essentially there isn't a security concern regarding any slow regex at the moment.

EDIT: I forgot, Marked was already updated beyond the above recommended version in #1993.

But regardless, we are working to simplify and modernize Docsify and intend update marked to the latest again. That will be tracked in

• [Dependency Notification] Upgrade marked which may gonna drop support IE11. #1885.

We'll close this one in favor of that one.

If someone feels like trying to update marked, please do. Any help would be welcome!

[gmartenscb]

Marked was indeed already bumped to a version higher than the security vulnerabilities. Unfortunately, this was only done on the develop branch and was actually never released just yet. So the latest version of docsify (4.13.1) is still using marked@^1.2.9) which has a security vulnerability. Any chance we can get a release with the updated version of marked?

[trusktr]

v5 is coming soon.

In the meantime what you can do it simply clone Docsify, update marked version, run the build step, and host the built file with your static site.

If someone has time to test it out for v4 prior to the breaking changes on develop (they are marked as breaking), and make a pull request for v4, we can consider that too. Personally when I circle back I will focus on the v5 release.

[gs-scooter]

@trusktr - Unfortunately, attempting a build off of main branch with v4.3.0 of marked results in an error (see below). Would appreciate any ideas on how to resolve this since it's preferred to not be sitting on a high-severity vulnerability for an unknown amount of time.

lib/plugins/ga.js
lib/plugins/matomo.min.js
lib/plugins/ga.min.js
lib/plugins/disqus.min.js
lib/plugins/matomo.js
lib/plugins/external-script.min.js
lib/plugins/disqus.js
lib/plugins/gitalk.js
lib/plugins/external-script.js
lib/plugins/gitalk.min.js
lib/plugins/emoji.min.js
lib/plugins/emoji.js
lib/plugins/zoom-image.min.js
lib/plugins/zoom-image.js
lib/plugins/search.js
lib/plugins/search.min.js
lib/plugins/front-matter.min.js
lib/plugins/front-matter.js
SyntaxError: Unexpected token (2475:26)
    at Object.pp$4.raise (C:\dev\docsify\node_modules\buble\node_modules\acorn\dist\acorn.js:2825:15)
    at Object.pp.unexpected (C:\dev\docsify\node_modules\buble\node_modules\acorn\dist\acorn.js:689:10)
    at Object.pp.expect (C:\dev\docsify\node_modules\buble\node_modules\acorn\dist\acorn.js:683:28)
    at Object.pp$3.parseMethod (C:\dev\docsify\node_modules\buble\node_modules\acorn\dist\acorn.js:2609:10)
    at Object.pp$1.parseClassMethod (C:\dev\docsify\node_modules\buble\node_modules\acorn\dist\acorn.js:1387:25)
    at Object.pp$1.parseClassElement (C:\dev\docsify\node_modules\buble\node_modules\acorn\dist\acorn.js:1376:10)
    at Object.pp$1.parseClass (C:\dev\docsify\node_modules\buble\node_modules\acorn\dist\acorn.js:1315:26)
    at Object.pp$1.parseStatement (C:\dev\docsify\node_modules\buble\node_modules\acorn\dist\acorn.js:833:19)
    at Object.parseStatement (C:\dev\docsify\node_modules\acorn-dynamic-import\lib\index.js:63:118)
    at Object.pp$1.parseTopLevel (C:\dev\docsify\node_modules\buble\node_modules\acorn\dist\acorn.js:746:23) {
  pos: 68445,
  loc: Position {
    line: 2475,
    column: 26,
    file: 'C:\\dev\\docsify\\node_modules\\marked\\lib\\marked.esm.js'
  },
  raisedAt: 68446,
  snippet: '2471 :   constructor(options) {\n' +
    '2472 :     this.options = options || defaults;\n' +
    '2473 :   }\n' +
    '2474 : \n' +
    '2475 :   static passThroughHooks = new Set([\n' +
    '                                 ^',
  toString: [Function (anonymous)],
  plugin: 'buble',
  frame: '2471 :   constructor(options) {\n' +
    '2472 :     this.options = options || defaults;\n' +
    '2473 :   }\n' +
    '2474 : \n' +
    '2475 :   static passThroughHooks = new Set([\n' +
    '                                 ^',
  code: 'PLUGIN_ERROR',
  hook: 'transform',
  id: 'C:\\dev\\docsify\\node_modules\\marked\\lib\\marked.esm.js',
  watchFiles: [
    'C:\\dev\\docsify\\src\\core\\index.js',
    'C:\\dev\\docsify\\src\\core\\Docsify.js',
    'C:\\dev\\docsify\\src\\core\\util\\dom.js',
    'C:\\dev\\docsify\\src\\core\\global-api.js',
    'C:\\dev\\docsify\\src\\core\\config.js',
    'C:\\dev\\docsify\\src\\core\\render\\index.js',
    'C:\\dev\\docsify\\src\\core\\router\\index.js',
    'C:\\dev\\docsify\\src\\core\\event\\index.js',
    'C:\\dev\\docsify\\src\\core\\fetch\\index.js',
    'C:\\dev\\docsify\\src\\core\\virtual-routes\\index.js',
    'C:\\dev\\docsify\\src\\core\\util\\core.js',
    'C:\\dev\\docsify\\src\\core\\init\\lifecycle.js',
    'C:\\dev\\docsify\\src\\core\\util\\env.js',
    'C:\\dev\\docsify\\src\\core\\render\\slugify.js',
    'C:\\dev\\docsify\\src\\core\\render\\compiler.js',
    'C:\\dev\\docsify\\src\\core\\fetch\\ajax.js',
    'C:\\dev\\docsify\\src\\core\\util\\index.js',
    'C:\\dev\\docsify\\node_modules\\prismjs\\prism.js',
    'C:\\dev\\docsify\\node_modules\\marked\\lib\\marked.esm.js',
    'C:\\dev\\docsify\\src\\core\\router\\util.js',
    'C:\\dev\\docsify\\src\\core\\event\\scroll.js',
    'C:\\dev\\docsify\\src\\core\\render\\embed.js',
    'C:\\dev\\docsify\\node_modules\\tinydate\\dist\\tinydate.mjs',
    'C:\\dev\\docsify\\src\\core\\event\\sidebar.js',
    'C:\\dev\\docsify\\src\\core\\render\\tpl.js',
    'C:\\dev\\docsify\\src\\core\\virtual-routes\\next.js',
    'C:\\dev\\docsify\\src\\core\\virtual-routes\\exact-match.js',
    'C:\\dev\\docsify\\src\\core\\router\\history\\html5.js',
    'C:\\dev\\docsify\\src\\core\\util\\polyfill\\css-vars.js',
    'C:\\dev\\docsify\\src\\core\\router\\history\\hash.js',
    '\x00commonjsHelpers.js'
  ]
}
ERROR: "build:js" exited with 1.

[trusktr]

@gs-scooter If you would like to help out, ping us in Discord.