Skip to content

fix(deps): update dependency marked to v4 [security]#2701

Open
renovate[bot] wants to merge 1 commit into
devfrom
renovate/npm-marked-vulnerability
Open

fix(deps): update dependency marked to v4 [security]#2701
renovate[bot] wants to merge 1 commit into
devfrom
renovate/npm-marked-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 15, 2026
edited by Yakutoc
Loading

This PR contains the following updates:

Package Change Age Confidence
marked (source) 3.0.74.0.10 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Inefficient Regular Expression Complexity in marked

CVE-2022-21680 / GHSA-rrrm-qjm4-v8hf

More information

Details

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.

import * as marked from "marked";

marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Inefficient Regular Expression Complexity in marked

CVE-2022-21681 / GHSA-5v2h-r2cx-5xgj

More information

Details

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.

import * as marked from 'marked';

console.log(marked.parse(`[x]: x

\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

markedjs/marked (marked)

v4.0.10

Compare Source

Bug Fixes
  • security: fix redos vulnerabilities (8f80657)

v4.0.9

Compare Source

Bug Fixes

v4.0.8

Compare Source

Bug Fixes

v4.0.7

Compare Source

Bug Fixes

v4.0.6

Compare Source

Bug Fixes

v4.0.5

Compare Source

Bug Fixes

v4.0.4

Compare Source

Bug Fixes

v4.0.3

Compare Source

Bug Fixes

v4.0.2

Compare Source

Bug Fixes

v4.0.1

Compare Source

Bug Fixes

v4.0.0

Compare Source

Bug Fixes
BREAKING CHANGES
  • Default export removed. Use import { marked } from 'marked' or const { marked } = require('marked') instead.
  • /lib/marked.js removed. Use /marked.min.js in script tag instead.
  • When using marked in a script tag use marked.parse(...) instead of marked(...)

v3.0.8

Compare Source

Bug Fixes

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

📦 Published PR as canary version: Canary Versions

✨ Test out this PR locally via:

npm install @salutejs/plasma-asdk@0.373.1-canary.2701.25021969855.0
npm install @salutejs/plasma-b2c@1.615.1-canary.2701.25021969855.0
npm install @salutejs/plasma-core@1.223.1-canary.2701.25021969855.0
npm install @salutejs/plasma-giga@0.342.1-canary.2701.25021969855.0
npm install @salutejs/plasma-homeds@0.342.1-canary.2701.25021969855.0
npm install @salutejs/plasma-hope@1.369.1-canary.2701.25021969855.0
npm install @salutejs/plasma-icons@1.235.1-canary.2701.25021969855.0
npm install @salutejs/plasma-new-hope@0.359.1-canary.2701.25021969855.0
npm install @salutejs/plasma-tokens@1.135.1-canary.2701.25021969855.0
npm install @salutejs/plasma-ui@1.345.1-canary.2701.25021969855.0
npm install @salutejs/plasma-web@1.617.1-canary.2701.25021969855.0
npm install @salutejs/sdds-bizcom@0.347.1-canary.2701.25021969855.0
npm install @salutejs/sdds-cs@0.351.1-canary.2701.25021969855.0
npm install @salutejs/sdds-dfa@0.345.1-canary.2701.25021969855.0
npm install @salutejs/sdds-finai@0.338.1-canary.2701.25021969855.0
npm install @salutejs/sdds-insol@0.342.1-canary.2701.25021969855.0
npm install @salutejs/sdds-netology@0.346.1-canary.2701.25021969855.0
npm install @salutejs/sdds-os@0.17.1-canary.2701.25021969855.0
npm install @salutejs/sdds-platform-ai@0.346.1-canary.2701.25021969855.0
npm install @salutejs/sdds-sbcom@0.346.1-canary.2701.25021969855.0
npm install @salutejs/sdds-scan@0.345.1-canary.2701.25021969855.0
npm install @salutejs/sdds-serv@0.346.1-canary.2701.25021969855.0
npm install @salutejs/core-themes@0.24.1-canary.2701.25021969855.0
npm install @salutejs/plasma-themes@0.47.1-canary.2701.25021969855.0
npm install @salutejs/sdds-themes@0.62.1-canary.2701.25021969855.0
npm install @salutejs/sdds-api-tests@0.4.1-canary.2701.25021969855.0
npm install @salutejs/plasma-cy-utils@0.153.1-canary.2701.25021969855.0
npm install @salutejs/plasma-sb-utils@0.223.1-canary.2701.25021969855.0
# or 
yarn add @salutejs/plasma-asdk@0.373.1-canary.2701.25021969855.0
yarn add @salutejs/plasma-b2c@1.615.1-canary.2701.25021969855.0
yarn add @salutejs/plasma-core@1.223.1-canary.2701.25021969855.0
yarn add @salutejs/plasma-giga@0.342.1-canary.2701.25021969855.0
yarn add @salutejs/plasma-homeds@0.342.1-canary.2701.25021969855.0
yarn add @salutejs/plasma-hope@1.369.1-canary.2701.25021969855.0
yarn add @salutejs/plasma-icons@1.235.1-canary.2701.25021969855.0
yarn add @salutejs/plasma-new-hope@0.359.1-canary.2701.25021969855.0
yarn add @salutejs/plasma-tokens@1.135.1-canary.2701.25021969855.0
yarn add @salutejs/plasma-ui@1.345.1-canary.2701.25021969855.0
yarn add @salutejs/plasma-web@1.617.1-canary.2701.25021969855.0
yarn add @salutejs/sdds-bizcom@0.347.1-canary.2701.25021969855.0
yarn add @salutejs/sdds-cs@0.351.1-canary.2701.25021969855.0
yarn add @salutejs/sdds-dfa@0.345.1-canary.2701.25021969855.0
yarn add @salutejs/sdds-finai@0.338.1-canary.2701.25021969855.0
yarn add @salutejs/sdds-insol@0.342.1-canary.2701.25021969855.0
yarn add @salutejs/sdds-netology@0.346.1-canary.2701.25021969855.0
yarn add @salutejs/sdds-os@0.17.1-canary.2701.25021969855.0
yarn add @salutejs/sdds-platform-ai@0.346.1-canary.2701.25021969855.0
yarn add @salutejs/sdds-sbcom@0.346.1-canary.2701.25021969855.0
yarn add @salutejs/sdds-scan@0.345.1-canary.2701.25021969855.0
yarn add @salutejs/sdds-serv@0.346.1-canary.2701.25021969855.0
yarn add @salutejs/core-themes@0.24.1-canary.2701.25021969855.0
yarn add @salutejs/plasma-themes@0.47.1-canary.2701.25021969855.0
yarn add @salutejs/sdds-themes@0.62.1-canary.2701.25021969855.0
yarn add @salutejs/sdds-api-tests@0.4.1-canary.2701.25021969855.0
yarn add @salutejs/plasma-cy-utils@0.153.1-canary.2701.25021969855.0
yarn add @salutejs/plasma-sb-utils@0.223.1-canary.2701.25021969855.0

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 15, 2026

Theme Builder app deployed!

https://plasma.sberdevices.ru/pr/plasma-theme-builder-pr-2701/

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 15, 2026

Documentation preview deployed!

website: https://plasma.sberdevices.ru/pr/pr-2701/
b2c storybook: https://plasma.sberdevices.ru/pr/pr-2701/b2c-storybook/
giga storybook: https://plasma.sberdevices.ru/pr/pr-2701/giga-storybook/
homeds storybook: https://plasma.sberdevices.ru/pr/pr-2701/homeds-storybook/
ui storybook: https://plasma.sberdevices.ru/pr/pr-2701/ui-storybook/
web storybook: https://plasma.sberdevices.ru/pr/pr-2701/web-storybook/
sdds-bizcom storybook: https://plasma.sberdevices.ru/pr/pr-2701/sdds-bizcom-storybook/
sdds-cs storybook: https://plasma.sberdevices.ru/pr/pr-2701/sdds-cs-storybook/
sdds-dfa storybook: https://plasma.sberdevices.ru/pr/pr-2701/sdds-dfa-storybook/
sdds-finai storybook: https://plasma.sberdevices.ru/pr/pr-2701/sdds-finai-storybook/
sdds-insol storybook: https://plasma.sberdevices.ru/pr/pr-2701/sdds-insol-storybook/
sdds-netology storybook: https://plasma.sberdevices.ru/pr/pr-2701/sdds-netology-storybook/
sdds-platform-ai storybook: https://plasma.sberdevices.ru/pr/pr-2701/sdds-platform-ai-storybook/
sdds-scan storybook: https://plasma.sberdevices.ru/pr/pr-2701/sdds-scan-storybook/
sdds-serv storybook: https://plasma.sberdevices.ru/pr/pr-2701/sdds-serv-storybook/

@renovate renovate Bot changed the title fix(deps): update dependency marked to v4 [security] fix(deps): update dependency marked to v4 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot deleted the renovate/npm-marked-vulnerability branch April 27, 2026 17:49
@renovate renovate Bot changed the title fix(deps): update dependency marked to v4 [security] - autoclosed fix(deps): update dependency marked to v4 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-marked-vulnerability branch from 365d157 to c8ce479 Compare April 27, 2026 22:02
@renovate renovate Bot force-pushed the renovate/npm-marked-vulnerability branch from c8ce479 to 365d157 Compare April 27, 2026 22:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Yeti-or Yeti-or Awaiting requested review from Yeti-or Yeti-or is a code owner

@neretin-trike neretin-trike Awaiting requested review from neretin-trike neretin-trike is a code owner

@Yakutoc Yakutoc Awaiting requested review from Yakutoc Yakutoc is a code owner

@TitanKuzmich TitanKuzmich Awaiting requested review from TitanKuzmich TitanKuzmich is a code owner

@shuga2704 shuga2704 Awaiting requested review from shuga2704 shuga2704 is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants