Vulnerable dependencies

[andysm1th]

The following 2 dependencies used by redoc have security vulnerabilities:

marked Regular Expression Denial of Service (ReDoS)
CWE-1333
CVSS 5.9 MEDIUM

json-pointer Prototype Pollution
CWE-1321
CVE-2021-23820
CVSS 5.6

[damianobarbati]

Any solution to this?

[rajeshsusai]

I believe marked has been updated to address that vulnerability, this repo would need a PR to update to the newer version.

The json-pointer package has an open PR to address the Prototype Pollution vulnerability, but it appears to be blocked: manuelstofer/json-pointer#36

[jonathan-codaio]

Hi folks! Any update updating this repo and redoc-cli to use the newer version of marked?

There is a new vulnerability in marked: GHSA-5v2h-r2cx-5xgj

We are unable to work around this one as we have in the past because it appears that redoc and redoc-cli produce build errors when we force a resolution of marked to 4.0.10.

As these are high severity vulnerabilities, any chance this could be looked into? Thanks!

[vjwilson]

Bumping this for json-pointer

Someone has forked that repo and then published a "json-pointer-community" package with the vuln fixed in it.

Is it possible for Redoc to switch to using the updated fork?

Comment announcing the fork in original issue
New package with fix

[JackElderProscia]

The owner of json-pointer has merged a vulnerability fix and published a new version.

Linking @crenshaw-dev's PR: #1910

[crenshaw-dev]

Looks like rc64 patches the issue?

[AlexVarchuk]

marked updated to 4.0.10 and json-pointer to 0.6.2 in version 2.0.0-rc.64

[AlexVarchuk]

seems it is resolved. If someone has questions/enhancements about that issue, please reopen it and let us know. Thanks.