dep: update markdown-it dependency

vince-fugnitto · vince-fugnitto · commit 8b3466971c11 · 2022-01-17T21:43:59.000-05:00
The commit updates the `markdown-it` dependency in order to resolve a
moderate security vulnerability.

The change also makes `markdown-it` a shared dependency, and updates all
usages to use the shared dep instead of redefining a version in
individual `package.json`.

Signed-off-by: vince-fugnitto &lt;vincent.fugnitto@ericsson.com&gt;
diff --git a/packages/core/README.md b/packages/core/README.md
@@ -89,6 +89,7 @@ export class SomeClass {
  - [`inversify@^5.1.1`](https://www.npmjs.com/package/inversify)
  - [`lodash.debounce@^4.0.8`](https://www.npmjs.com/package/lodash.debounce)
  - [`lodash.throttle@^4.1.1`](https://www.npmjs.com/package/lodash.throttle)
+ - [`markdown-it@^12.3.2`](https://www.npmjs.com/package/markdown-it)
  - [`nsfw@^2.1.2`](https://www.npmjs.com/package/nsfw)
  - [`react@^16.8.0`](https://www.npmjs.com/package/react)
  - [`react-dom@^16.8.0`](https://www.npmjs.com/package/react-dom)
diff --git a/packages/core/package.json b/packages/core/package.json
@@ -25,6 +25,7 @@
     "@types/fs-extra": "^4.0.2",
     "@types/lodash.debounce": "4.0.3",
     "@types/lodash.throttle": "^4.1.3",
+    "@types/markdown-it": "^12.2.3",
     "@types/react": "^16.8.0",
     "@types/react-dom": "^16.8.0",
     "@types/react-virtualized": "^9.18.3",
@@ -50,7 +51,7 @@
     "keytar": "7.2.0",
     "lodash.debounce": "^4.0.8",
     "lodash.throttle": "^4.1.1",
-    "markdown-it": "^8.4.0",
+    "markdown-it": "^12.3.2",
     "nsfw": "^2.1.2",
     "p-debounce": "^2.1.0",
     "perfect-scrollbar": "^1.3.0",
@@ -92,9 +93,9 @@
       "@phosphor/signaling",
       "@phosphor/virtualdom",
       "@phosphor/widgets",
-      "@theia/application-package:@theia/application-package/index",
       "@theia/application-package/lib/api",
       "@theia/application-package/lib/environment",
+      "@theia/application-package:@theia/application-package/index",
       "fs-extra",
       "fuzzy",
       "inversify",
@@ -110,6 +111,7 @@
       "lodash.debounce as debounce",
       "lodash.throttle as throttle",
       "nsfw",
+      "markdown-it as markdownit",
       "react as React",
       "ws as WebSocket",
       "yargs"
diff --git a/packages/core/shared/markdown-it.d.ts b/packages/core/shared/markdown-it.d.ts
@@ -0,0 +1,2 @@
+import markdownit = require('markdown-it');
+export = markdownit;
diff --git a/packages/core/shared/markdown-it.js b/packages/core/shared/markdown-it.js
@@ -0,0 +1 @@
+module.exports = require('markdown-it');
diff --git a/packages/messages/package.json b/packages/messages/package.json
@@ -4,7 +4,6 @@
   "description": "Theia - Messages Extension",
   "dependencies": {
     "@theia/core": "1.21.0",
-    "markdown-it": "^8.4.0",
     "react-perfect-scrollbar": "^1.5.3",
     "ts-md5": "^1.2.2"
   },
diff --git a/packages/messages/src/browser/notification-content-renderer.ts b/packages/messages/src/browser/notification-content-renderer.ts
@@ -14,7 +14,7 @@
  * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
  ********************************************************************************/
 
-import * as markdownit from 'markdown-it';
+import * as markdownit from '@theia/core/shared/markdown-it';
 import { injectable } from '@theia/core/shared/inversify';
 
 @injectable()
diff --git a/packages/plugin-ext/package.json b/packages/plugin-ext/package.json
@@ -26,7 +26,6 @@
     "@theia/terminal": "1.21.0",
     "@theia/timeline": "1.21.0",
     "@theia/workspace": "1.21.0",
-    "@types/markdown-it": "*",
     "@types/mime": "^2.0.1",
     "decompress": "^4.2.1",
     "escape-html": "^1.0.3",
@@ -35,7 +34,6 @@
     "jsonc-parser": "^2.2.0",
     "lodash.clonedeep": "^4.5.0",
     "macaddress": "^0.2.9",
-    "markdown-it": "^8.4.0",
     "mime": "^2.4.4",
     "ps-tree": "^1.2.0",
     "request": "^2.82.0",
diff --git a/packages/plugin-ext/src/main/browser/view/tree-view-widget.tsx b/packages/plugin-ext/src/main/browser/view/tree-view-widget.tsx
@@ -42,7 +42,7 @@ import { MessageService } from '@theia/core/lib/common/message-service';
 import { View } from '../../../common/plugin-protocol';
 import CoreURI from '@theia/core/lib/common/uri';
 import { ContextKeyService } from '@theia/core/lib/browser/context-key-service';
-import * as markdownit from 'markdown-it';
+import * as markdownit from '@theia/core/shared/markdown-it';
 import { isMarkdownString } from '../../../plugin/markdown-string';
 
 export const TREE_NODE_HYPERLINK = 'theia-TreeNodeHyperlink';
diff --git a/packages/preferences/package.json b/packages/preferences/package.json
@@ -10,8 +10,7 @@
     "@theia/userstorage": "1.21.0",
     "@theia/workspace": "1.21.0",
     "async-mutex": "^0.3.1",
-    "jsonc-parser": "^2.2.0",
-    "markdown-it": "^8.4.0"
+    "jsonc-parser": "^2.2.0"
   },
   "publishConfig": {
     "access": "public"
diff --git a/packages/preferences/src/browser/views/components/preference-node-renderer.ts b/packages/preferences/src/browser/views/components/preference-node-renderer.ts
@@ -28,7 +28,7 @@ import debounce = require('@theia/core/shared/lodash.debounce');
 import { PreferenceTreeModel } from '../../preference-tree-model';
 import { PreferencesSearchbarWidget } from '../preference-searchbar-widget';
 import { WindowService } from '@theia/core/lib/browser/window/window-service';
-import * as markdownit from 'markdown-it';
+import * as markdownit from '@theia/core/shared/markdown-it';
 import * as DOMPurify from '@theia/core/shared/dompurify';
 import URI from '@theia/core/lib/common/uri';
 
diff --git a/packages/preview/package.json b/packages/preview/package.json
@@ -8,10 +8,8 @@
     "@theia/mini-browser": "1.21.0",
     "@theia/monaco": "1.21.0",
     "@types/highlight.js": "^10.1.0",
-    "@types/markdown-it": "*",
     "@types/markdown-it-anchor": "^4.0.1",
     "highlight.js": "10.4.1",
-    "markdown-it": "^8.4.0",
     "markdown-it-anchor": "~5.0.0"
   },
   "publishConfig": {
diff --git a/packages/preview/src/browser/markdown/markdown-preview-handler.ts b/packages/preview/src/browser/markdown/markdown-preview-handler.ts
@@ -21,7 +21,7 @@ import { isOSX } from '@theia/core/lib/common';
 import { Path } from '@theia/core/lib/common/path';
 
 import * as hljs from 'highlight.js';
-import * as markdownit from 'markdown-it';
+import * as markdownit from '@theia/core/shared/markdown-it';
 import * as anchor from 'markdown-it-anchor';
 import * as DOMPurify from '@theia/core/shared/dompurify';
 import { PreviewUri } from '../preview-uri';
diff --git a/packages/vsx-registry/package.json b/packages/vsx-registry/package.json
@@ -11,10 +11,8 @@
     "@theia/preferences": "1.21.0",
     "@theia/workspace": "1.21.0",
     "@types/bent": "^7.0.1",
-    "@types/markdown-it": "*",
     "@types/showdown": "^1.7.1",
     "bent": "^7.1.0",
-    "markdown-it": "^8.4.0",
     "p-debounce": "^2.1.0",
     "requestretry": "^3.1.0",
     "semver": "^5.4.1",
diff --git a/packages/vsx-registry/src/browser/vsx-extension.tsx b/packages/vsx-registry/src/browser/vsx-extension.tsx
@@ -14,7 +14,7 @@
  * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
  ********************************************************************************/
 
-import * as markdownit from 'markdown-it';
+import * as markdownit from '@theia/core/shared/markdown-it';
 import * as React from '@theia/core/shared/react';
 import * as DOMPurify from '@theia/core/shared/dompurify';
 import { injectable, inject } from '@theia/core/shared/inversify';
diff --git a/yarn.lock b/yarn.lock
@@ -2219,7 +2219,7 @@
   dependencies:
     "@types/markdown-it" "*"
 
-"@types/markdown-it@*":
+"@types/markdown-it@*", "@types/markdown-it@^12.2.3":
   version "12.2.3"
   resolved "https://registry.yarnpkg.com/@types/markdown-it/-/markdown-it-12.2.3.tgz#0d6f6e5e413f8daaa26522904597be3d6cd93b51"
   integrity sha512-GKMHFfv3458yYy+v/N8gjufHO6MSZKCOXpZc5GXIWWy8uldwfmPn98vp81gZ5f9SVw8YYBctgfJ22a2d7AOMeQ==
@@ -3037,6 +3037,11 @@ argparse@^1.0.7:
   dependencies:
     sprintf-js "~1.0.2"
 
+argparse@^2.0.1:
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/argparse/-/argparse-2.0.1.tgz#246f50f3ca78a3240f6c997e8a9bd1eac49e4b38"
+  integrity sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==
+
 array-differ@^3.0.0:
   version "3.0.0"
   resolved "https://registry.yarnpkg.com/array-differ/-/array-differ-3.0.0.tgz#3cbb3d0f316810eafcc47624734237d6aee4ae6b"
@@ -4716,10 +4721,10 @@ enquirer@^2.3.5:
   dependencies:
     ansi-colors "^4.1.1"
 
-entities@~1.1.1:
-  version "1.1.2"
-  resolved "https://registry.yarnpkg.com/entities/-/entities-1.1.2.tgz#bdfa735299664dfafd34529ed4f8522a275fea56"
-  integrity sha512-f2LZMYl1Fzu7YSBKg+RoROelpOaNrcGmE9AZubeDfrCEia483oW4MI4VyFd5VNHIgQ/7qm1I0wUHK1eJnn2y2w==
+entities@~2.1.0:
+  version "2.1.0"
+  resolved "https://registry.yarnpkg.com/entities/-/entities-2.1.0.tgz#992d3129cf7df6870b96c57858c249a120f8b8b5"
+  integrity sha512-hCx1oky9PFrJ611mf0ifBLBRW8lUUVRlFolb5gWRfIELabBlbp9xZvrqZLZAs+NxFnbfQoeGd8wDkygjg7U85w==
 
 env-paths@^2.2.0:
   version "2.2.1"
@@ -6831,10 +6836,10 @@ lines-and-columns@^1.1.6:
   resolved "https://registry.yarnpkg.com/lines-and-columns/-/lines-and-columns-1.2.4.tgz#eca284f75d2965079309dc0ad9255abb2ebc1632"
   integrity sha512-7ylylesZQ/PV29jhEDl3Ufjo6ZX7gCqJr5F7PKrqc93v7fzSymt1BpwEU8nAUXs8qzzvqhbjhK5QZg6Mt/HkBg==
 
-linkify-it@^2.0.0:
-  version "2.2.0"
-  resolved "https://registry.yarnpkg.com/linkify-it/-/linkify-it-2.2.0.tgz#e3b54697e78bf915c70a38acd78fd09e0058b1cf"
-  integrity sha512-GnAl/knGn+i1U/wjBz3akz2stz+HrHLsxMwHQGofCDfPvlf+gDKN58UtfmUquTY4/MXeE2x7k19KQmeoZi94Iw==
+linkify-it@^3.0.1:
+  version "3.0.3"
+  resolved "https://registry.yarnpkg.com/linkify-it/-/linkify-it-3.0.3.tgz#a98baf44ce45a550efb4d49c769d07524cc2fa2e"
+  integrity sha512-ynTsyrFSdE5oZ/O9GEf00kPngmOfVwazR5GKDq6EYfhlpFug3J2zybX56a2PRRpc9P+FuSoGNAwjlbDs9jJBPQ==
   dependencies:
     uc.micro "^1.0.1"
 
@@ -7132,14 +7137,14 @@ markdown-it-anchor@~5.0.0:
   resolved "https://registry.yarnpkg.com/markdown-it-anchor/-/markdown-it-anchor-5.0.2.tgz#cdd917a05b7bf92fb736a6dae3385c6d0d0fa552"
   integrity sha512-AFM/woBI8QDJMS/9+MmsBMT5/AR+ImfOsunQZTZhzcTmna3rIzAzbOh5E0l6mlFM/i9666BpUtkqQ9bS7WApCg==
 
-markdown-it@^8.4.0:
-  version "8.4.2"
-  resolved "https://registry.yarnpkg.com/markdown-it/-/markdown-it-8.4.2.tgz#386f98998dc15a37722aa7722084f4020bdd9b54"
-  integrity sha512-GcRz3AWTqSUphY3vsUqQSFMbgR38a4Lh3GWlHRh/7MRwz8mcu9n2IO7HOh+bXHrR9kOPDl5RNCaEsrneb+xhHQ==
+markdown-it@^12.3.2:
+  version "12.3.2"
+  resolved "https://registry.yarnpkg.com/markdown-it/-/markdown-it-12.3.2.tgz#bf92ac92283fe983fe4de8ff8abfb5ad72cd0c90"
+  integrity sha512-TchMembfxfNVpHkbtriWltGWc+m3xszaRD0CZup7GFFhzIgQqxIfn3eGj1yZpfuflzPvfkt611B2Q/Bsk1YnGg==
   dependencies:
-    argparse "^1.0.7"
-    entities "~1.1.1"
-    linkify-it "^2.0.0"
+    argparse "^2.0.1"
+    entities "~2.1.0"
+    linkify-it "^3.0.1"
     mdurl "^1.0.1"
     uc.micro "^1.0.5"
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+import markdownit = require('markdown-it');`
	`2`	`+export = markdownit;`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+module.exports = require('markdown-it');`