markdown-it@8.4.2 vulnerabilities

markdown-it is a modern pluggable markdown parser.

Affected versions of this package are vulnerable to Infinite loop in linkify inline rule when using malformed input.

Upgrade markdown-it to version 13.0.2 or higher.

markdown-it is a modern pluggable markdown parser.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the /s+$/ in line 23 of lib/rules_inline/newline.js. This expression is used to remove trailing whitespaces from a string, however, it also matches non-trailing whitespaces. In the worst-case scenario, the matching process would take computation time proportional to the square of the length of the non-trailing whitespaces. It is possible that a string containing more than tens of thousands characters, as markdown-it handles Markdown, would be passed over the network, resulting in significant computational time.

Upgrade markdown-it to version 12.3.2 or higher.

markdown-it is a modern pluggable markdown parser.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). Parsing __*_… takes quadratic time, this could be a denial of service vulnerability in an application that parses user input.

Upgrade markdown-it to version 10.0.0 or higher.