Security Vulnerabilities

[bennycode]

I installed docsify-cli v4.4.4 and got several security reports in my repo:

• Inefficient Regular Expression Complexity in marked: [email protected] requires marked@^1.2.9 via a transitive dependency on [email protected] [email protected] requires marked@^4.3.0
• Got allows a redirect to a UNIX socket: [email protected] requires got@^9.6.0 via a transitive dependency on [email protected]
• Regular Expression Denial of Service (REDoS) in Marked: [email protected] requires marked@^1.2.9 via a transitive dependency on [email protected] [email protected] requires marked@^4.3.0

[yonjans]

Same +1

[adamlui]

Same +1, for marked it now says "The earliest fixed version is 4.0.10."

For got "Got allows a redirect to a UNIX socket" the earliest fixed version is 11.8.5

[prabhu]

update-notifier is resulting in a got vulnerability. I honestly cannot understand why this CLI even needs an update notifier, or such extra fancy features as direct dependencies.

[erika9star]

The fixed version of update-notifier is incompatible with docsify-cli (ECMAscript vs vanilla JS). Removing update-notifier is probably the easiest way to eliminate the vulnerabilities.