marksy & marked have been flagged to contain a RegEx service vulnerability with CVSS score of 7.5 (High)

[ArmanNisch]

Hi,

I did a security scan of one of our project repos and storybook/addon-info@3.2.14 was flagged to contain a RegEx service vulnerability via its marksy package which itself makes use of marked

The vulnerability has a reported CVSS score of 7.5 (High).

See github.com/chjj/marked/issues/937 and this node security advisories for more details.

[danielduan]

Thanks for bringing this up @ArmanNisch

@ndelangen @Hypnosphi what do you guys think?
I don't think this matters to us because there aren't any user input data that we render in markdown. If someone creates a story to ReDoS themselves, it's not something we can help either.

[Hypnosphi]

there aren't any user input data that we render in markdown

Yeah, that's a valid point

[ndelangen]

Let's keep all packages updated, that's really the best we can do here.

I welcome other options too, as long as we're not actually putting people at risk.
Which we're not:

there aren't any user input data that we render in markdown

[danielduan]

I'm gonna close this issue then. If there are any other scenarios we left out, leave a comment for us.