-
There are amazing extensions from the community for marp-cli, such as @kazumatu981/markdown-it-kroki or yhatt / hide-slides-plugin.js. But how can it enable them to be used in the marp-vscode? Is is not possible? Does it can be a feature request for marp-vscode? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 2 replies
-
Marp for VS Code is explicitly designed to prevent the use of the Marp plugin to avoid security issues. Marp plugin is designed to run on Node.js, so it's possible to do anything on Node.js beyond extending Marp. So if we support Marp plugin, it's possible to execute arbitrary code on your machine by installing malicious plugin that pretending to be Marp plugin. The similar case has already been reported in ESLint extension for VS Code as CVE-2020-1416. In particular, Marp for VS Code is often used by users who don't focus on development, and they may introduce the extension as an alternative to the classic Marp GUI app. Therefore, it's easy to introduce a plugin without understanding the details, which can lead to security risks. To minimize such risks, we have decided not to support Marp plugins in the extension. Related
|
Beta Was this translation helpful? Give feedback.
-
Many thanks for your detailed answer @yhatt. 🙂 However, I am still considering an alternative for those who want to use extensions and preview changes in the VSCode environment when editing. The following came to me. What about leet users edit in vscode JSON settings the marp-vscode build command line? By doing this, it will be the responsibility of the user that changes from the default marp-vscode build command and set it wherever marp-cli wants to use it. I think this flexibility of editing the build command for a preview is a common practice in the vscode community. Will that be possible? What do you think? |
Beta Was this translation helpful? Give feedback.
Marp for VS Code is explicitly designed to prevent the use of the Marp plugin to avoid security issues.
Marp plugin is designed to run on Node.js, so it's possible to do anything on Node.js beyond extending Marp. So if we support Marp plugin, it's possible to execute arbitrary code on your machine by installing malicious plugin that pretending to be Marp plugin. The similar case has already been reported in ESLint extension for VS Code as CVE-2020-1416.
In particular, Marp for VS Code is often used by users who don't focus on development, and they may introduce the extension as an alternative to the classic Marp GUI app. Therefore, it's easy to introduce a plugin without understanding the…