Cross-site Scripting (XSS) via Data URIs - snyk notifications

[knoxcard]

✗ High severity vulnerability found on [email protected]

• desc: Cross-site Scripting (XSS) via Data URIs
• info: https://snyk.io/vuln/npm:marked:20170112
• from: [email protected] > [email protected]
  Fix: None available. Consider removing this dependency.

✗ High severity vulnerability found on [email protected]

• desc: Cross-site Scripting (XSS) via Data URIs
• info: https://snyk.io/vuln/npm:marked:20170112
• from: [email protected] > [email protected] > [email protected]
  Fix: None available. Consider removing this dependency.

✗ High severity vulnerability found on [email protected]

• desc: Cross-site Scripting (XSS) via Data URIs
• info: https://snyk.io/vuln/npm:marked:20170112
• from: [email protected] > [email protected] > [email protected] > [email protected]
  Fix: None available. Consider removing this dependency.

[matt-]

We are waiting for #844 to be pushed by the maintainer.

[matt-]

I am keeping this one open until the change is pushed, but I wanted to rename the ticket to make it more search friendly.

[matt-snider]

This seems important enough to cut a new release for. Any reason that isn't being done?

[stramel]

@chjj @matt- @paulirish Any word on getting a tag for this fix?

[the-t-in-rtf]

0.3.7 finally came out, and did include the previous submitted fixes. Unfortunately, there's still one high-severity vulnerability that is supposed to be addressed by the upcoming 0.3.9 release.

[joshbruce]

Believe 0.3.9 corrects all these issues. Please confirm and comment, if incorrect.