Update meta-marked to latest version

Meta-marked 0.4.4 which we used from our git repository contains a RegexDOS attack in the marked dependency. The dependency was already updated in our meta-marked repository, but not updated in yarn. This made us still vulnerable to this ReDOS which was able to cause a DOS attack on the server when updating a note. For Details: https://github.com/markedjs/marked/releases/tag/v0.7.0 https://github.com/markedjs/marked/pull/1515 What is a ReDOS? A ReDOS attack is a DOS attack where an attacker targets a not-well-written Regular Expression. Regular expressions try to build a tree of all possibilities it can match in order to figure out if the given statement is valid or not. A ReDOS attack abuses this concept by providing a statement that doesn't match but causes extremly huge trees that simply lead to exhausting CPU usage. For more details see: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS Credit: Huge thanks to @bitinerant for finding this and handling it with a responsible disclosure. Also thanks to the `marked`-team for fixing things already. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-08-07 09:38:12 +02:00
parent 57cfbcbd47
commit c4053ea7ce
2 changed files with 10 additions and 10 deletions
--- a/package.json
+++ b/package.json
@@ -82,7 +82,7 @@
    "mathjax": "~2.7.0",
    "mattermost": "^3.4.0",
    "mermaid": "~8.2.3",
-    "meta-marked": "git+https://github.com/codimd/meta-marked#semver:^0.4.2",
+    "meta-marked": "git+https://github.com/codimd/meta-marked#semver:^0.4.5",
    "method-override": "^2.3.7",
    "minimist": "^1.2.0",
    "minio": "^6.0.0",
@@ -193,8 +193,8 @@
    "mocha": "^5.2.0",
    "mock-require": "^3.0.3",
    "optimize-css-assets-webpack-plugin": "^5.0.0",
-    "sequelize-cli": "^5.4.0",
    "script-loader": "^0.7.2",
+    "sequelize-cli": "^5.4.0",
    "string-loader": "^0.0.1",
    "style-loader": "^0.21.0",
    "uglifyjs-webpack-plugin": "^1.2.7",