Comments (3)
you're right, but nevertheless my company can't pass the external security inspection because of this...
from md-to-pdf.
Ok but just so you're aware there's no way to actually exploit this vulnerability since as an end user you don't have any control over the input that is vulnerable (requested path). So in that sense this vulnerability doesn't apply to your code already.
These vulnerability reports are generally overrated, and it would be appreciated if you only open an issue about it if you can confirm that the vulnerability is relevant (:
from md-to-pdf.
I just checked... 1) there are no updates available for serve-handler
, and 2) I don't even have this vulnerable minimatch
version installed in this project... as you can see here:
Lines 17180 to 17187 in b3ffa7d
This defines 3.1.2
as the version to be installed/used, and in the following lines you can see that this is also the version that serve-handler
requires:
Lines 17180 to 17187 in b3ffa7d
What you probably have is that your own lock-file has this outdated minimatch
version pinned... I assume you can fix this by running npm upgrade
(or yarn upgrade
would be equivalent) without any arguments, which will upgrade all available package updates that are in-range for your project. Or if you don't want to touch everything, you can try npm upgrade minimatch
as well.
BTW if your company benefits from this project and would be able to sponsor me even in the slightest form, that would be greatly appreciated and mean that I can more actively support you (:
from md-to-pdf.
Related Issues (20)
- question: add images to pdf HOT 12
- bug: math not showing HOT 1
- bug: `replaceAll` is not a function HOT 6
- Supporting Solidity code in markdown HOT 5
- 'Bash wrote one or more lines to the standard error stream' on Azure Pipelines HOT 3
- bug: Failed to launch the browser process! HOT 1
- bug: HOT 1
- feature: Support for footnote, as Github-Flavored-Markdown now supports footnote HOT 1
- Improve documentation around Marked plugins
- feature: embedded tweets HOT 2
- feature: embedded instagram posts HOT 4
- feature: embedded mastodon posts HOT 2
- ProtocolTimeout change via the Commandline HOT 1
- bug: Puppeteer reports a weird warning HOT 5
- feature: Bookmarks HOT 1
- bug: Links to images now contain http://localhost:port prefix when using --as-html flag HOT 5
- feature: add --dest option to the CLI HOT 4
- bug: mathjax test is flaky
- feature: add language to body-tag HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from md-to-pdf.