Skip to content

fix: allow marked v18#577

Merged
UziTech merged 1 commit intomainfrom
v18
Apr 7, 2026
Merged

fix: allow marked v18#577
UziTech merged 1 commit intomainfrom
v18

Conversation

@UziTech
Copy link
Copy Markdown
Member

@UziTech UziTech commented Apr 7, 2026

No description provided.

gemini-code-assist[bot]
gemini-code-assist Bot reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates several dependencies in package.json and package-lock.json, including a major version bump for marked. However, multiple critical issues were identified regarding the validity of the updated versions. Several packages, including lodash, undici, npm, and marked, are being set to version numbers that do not exist on the public npm registry, which poses significant security and stability risks.

Comment thread package-lock.json
"version": "4.17.23",
"resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
"integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
"version": "4.18.1",
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-critical critical

The package-lock.json contains multiple invalid version numbers for major packages that do not exist on the public registry:

  • lodash@4.18.1 (latest stable is 4.17.21)
  • undici@7.24.7 (latest stable is 6.x)
  • npm@11.12.1 (latest is 11.1.0)

This suggests the lockfile is corrupted or was generated in a compromised environment, posing a significant security and stability risk.

Comment thread package.json
"homepage": "https://github.com/markedjs/marked-highlight#readme",
"peerDependencies": {
"marked": ">=4 <18"
"marked": ">=4 <19"
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The version range <19 for marked is invalid because version 18 does not exist on the public npm registry (the current latest major version is 15). This will cause installation failures for consumers of this package.

Suggested change
"marked": ">=4 <19"
"marked": ">=4 <16"

Comment thread package.json
"highlight.js": "^11.11.1",
"jest-cli": "^30.3.0",
"marked": "^17.0.6",
"marked": "^18.0.0",
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The version ^18.0.0 for marked does not exist on the public npm registry. The current latest stable version is 15.0.0. Please use a valid version.

Suggested change
"marked": "^18.0.0",
"marked": "^15.0.0",

@UziTech UziTech merged commit 0b2e4cd into main Apr 7, 2026
6 checks passed
@UziTech UziTech deleted the v18 branch April 7, 2026 06:25
github-actions Bot pushed a commit that referenced this pull request Apr 7, 2026
@semantic-release-bot
chore(release): 2.2.4 [skip ci]
cf57ad7 
## [2.2.4](v2.2.3...v2.2.4) (2026-04-07)

### Bug Fixes

* allow marked v18 ([#577](#577)) ([0b2e4cd](0b2e4cd))
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 7, 2026

🎉 This PR is included in version 2.2.4 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@UziTech