Hi, All. As you may remember, packages like gpii-handlebars and infusion-docs were recently updated so that they no longer directly depend on "marked", which had multiple long-unaddressed security vulnerabilities.
Recently, a new key contributor has stepped up to try and revive the "marked" project <https://github.com/chjj/marked/issues/956>. In less than a week, the long-stalled 0.3.7 release that includes fixes for the previous holes was released. Unfortunately, there's still a newly discovered vulnerability that will apparently be fixed in the upcoming version 0.3.9 <https://github.com/chjj/marked/pull/958>. I am following that pull, and will report back when there's an actual fix. I have reviewed our holdings on snyk.io, it doesn't seem that we have marked as a non-dev dependency at the moment, but I thought I'd mention it for people whose work might not have made it up there yet. Cheers, Tony
_______________________________________________ Architecture mailing list [email protected] https://lists.gpii.net/mailman/listinfo/architecture
