marked dependency is insecure version

[anselmbradford]

https://nvd.nist.gov/vuln/detail/CVE-2017-17461
https://nvd.nist.gov/vuln/detail/CVE-2017-1000427

Suggested update marked ~> 0.3.9.

[thijstriemstra]

Running into same issue, can a new jsdoc be released with a marked 0.3.9?

[wuhanyumsft]

The same issue here.

[Radiergummi]

Hearing the Github announcement of security vulnerability notifications, I've already wondered what it will be if a commonly used dependency of a commonly used dependency has a security problem... here we are, with possibly thousands of projects affected! 😄

[fgm]

A temporary solution can be to add an explicit dependency to marked ~0.3.9 on dependent projects. With Yarn and reasonably recent versions of NPM, a single version of marked will be used and will actually be 0.3.9, which works around the problem.