starred/markdownlint
1
0
Fork 0
mirror of https://github.com/DavidAnson/markdownlint.git synced 2026-04-26 01:36:03 +03:00
Code Issues 161 Projects Releases Packages Wiki Activity

[GH-ISSUE #478] Security concern in v0.25.0 due to markdown-it dependency #393

New issue
Closed
opened 2026-03-03 01:26:30 +03:00 by kerem · 2 comments
kerem commented 2026-03-03 01:26:30 +03:00
Owner
Copy link

Originally created by @ericcornelissen on GitHub (Jan 11, 2022).
Original GitHub issue: https://github.com/DavidAnson/markdownlint/issues/478

Hi markdownlint maintainers and community 👋

I want to raise a security vulnerability (concern?1) for the community in the latest published version (markdownlint@v0.25.0) related to markdown-it.

References:

Since markdown-it is pinned at 12.3.0 it is not possible for users of markdownlint to upgrade to the latest version of markdown-it, 12.3.2 that contains a fix. From this perspective allowing a range of versions, e.g ^12.3.0, for (non-dev) dependencies would be beneficial to users.

Thank you in advance!

  1. I'd classify the vulnerability as low risk for markdownlint since, presumably, in most instances users will have full control over the MarkDown they're going to lint. However, I don't think that discredits the issue entirely. ↩︎

Originally created by @ericcornelissen on GitHub (Jan 11, 2022). Original GitHub issue: https://github.com/DavidAnson/markdownlint/issues/478 Hi markdownlint maintainers and community :wave: I want to raise a security vulnerability (concern?[^1]) for the community in the latest published version (`markdownlint@v0.25.0`) related to [`markdown-it`](https://github.com/DavidAnson/markdownlint/blob/02707cf2702127f928e99919127ef703abf03f65/package.json#L50). References: - [SNYK-JS-MARKDOWNIT-2331914](https://security.snyk.io/vuln/SNYK-JS-MARKDOWNIT-2331914) - [GHSA-6vfc-qv3f-vr6c](https://github.com/advisories/GHSA-6vfc-qv3f-vr6c) - [CVE-2022-21670](https://nvd.nist.gov/vuln/detail/CVE-2022-21670) - https://github.com/markdown-it/markdown-it/commit/ffc49ab46b5b751cd2be0aabb146f2ef84986101 Since `markdown-it` is pinned at `12.3.0` it is not possible for users of `markdownlint` to upgrade to the latest version of `markdown-it`, `12.3.2` that contains a fix. From this perspective allowing a range of versions, e.g `^12.3.0`, for (non-dev) dependencies would be beneficial to users. Thank you in advance! [^1]: I'd classify the vulnerability as low risk for markdownlint since, presumably, in most instances users will have full control over the MarkDown they're going to lint. However, I don't think that discredits the issue entirely.
kerem 2026-03-03 01:26:30 +03:00
kerem commented 2026-03-03 01:26:31 +03:00
Author
Owner
Copy link

@DavidAnson commented on GitHub (Jan 12, 2022):

I agree with your assessment of this as being low risk, especially as denial of service attacks are more of a nuisance than a security threat. That said, it's easy enough to update and I will do so soon.

<!-- gh-comment-id:1010678368 --> @DavidAnson commented on GitHub (Jan 12, 2022): I agree with your assessment of this as being low risk, especially as denial of service attacks are more of a nuisance than a security threat. That said, it's easy enough to update and I will do so soon.
kerem commented 2026-03-03 01:26:31 +03:00
Author
Owner
Copy link

@ericcornelissen commented on GitHub (Jan 13, 2022):

Small update, the issue now has an official CVE. I updated the issue description accordingly.

Because it now has a CVE it'll show up in the npm audit output and automation tools like Dependabot will start flagging it as well.

<!-- gh-comment-id:1011966983 --> @ericcornelissen commented on GitHub (Jan 13, 2022): Small update, the issue now has an official CVE. I updated the issue description accordingly. Because it now has a CVE it'll show up in the `npm audit` output and automation tools like Dependabot will start flagging it as well.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
next
linkinator-action@v2.4.1
linkinator-action@v2.4.0
wc13
scenario-chunks
seqseq
v0.40.0
v0.39.0
v0.38.0
v0.37.4
v0.37.3
v0.37.2
v0.37.1
v0.37.0
v0.36.1
v0.36.0
v0.35.0
v0.34.0
v0.33.0
v0.32.1
v0.32.0
v0.31.1
v0.31.0
v0.30.0
v0.29.0
v0.28.2
v0.28.1
v0.28.0
v0.27.0
v0.26.2
v0.26.1
v0.26.0
v0.25.1
v0.25.0
v0.24.0
v0.23.1
v0.23.0
v0.22.0
v0.21.1
v0.21.0
v0.20.4
v0.20.3
v0.20.2
v0.20.1
v0.20.0
v0.19.0
v0.18.0
v0.17.2
v0.17.1
v0.17.0
v0.16.0
v0.15.0
v0.14.2
v0.14.1
v0.14.0
v0.13.0
v0.12.0
v0.11.0
v0.10.0
v0.9.0
v0.8.1
v0.8.0
v0.7.0
v0.6.4
v0.6.3
v0.6.2
v0.6.1
v0.6.0
v0.5.0
v0.4.1
v0.4.0
v0.3.1
v0.3.0
v0.2.0
v0.1.1
v0.1.0
v0.0.8
v0.0.7
v0.0.6
v0.0.5
v0.0.4
v0.0.3
v0.0.2
v0.0.1
Labels
Clear labels   
bug

   
enhancement

   
enhancement

   
enhancement

   
fixed in next

   
fixed in next

   
fixed in next

   
new rule

   
new rule

   
new rule

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
refactoring

   
refactoring
No labels
bug
enhancement
enhancement
enhancement
fixed in next
fixed in next
fixed in next
new rule
new rule
new rule
pull-request
question
refactoring
refactoring
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/markdownlint#393
No description provided.