Update to marked 4 to prevent security issues

wise-king-sullyman · wise-king-sullyman · commit ef37fca2b446 · 2025-02-14T15:44:12.000-05:00
diff --git a/packages/dev/package.json b/packages/dev/package.json
@@ -22,7 +22,7 @@
     "react-dom": "^16.14.0",
     "react-i18next": "^11.7.3",
     "react-router-dom": "^5.2.0",
-    "marked": "^3.0.0",
+    "marked": "^4.0.0",
     "lodash-es": "^4.17.21"
   },
   "devDependencies": {
diff --git a/packages/module/package.json b/packages/module/package.json
@@ -48,7 +48,7 @@
     "@patternfly/react-core": ">=4.115.2",
     "react": ">=16.8.0",
     "react-dom": ">=16.8.0",
-    "marked": "^15.0.6"
+    "marked": "^4.0.0"
   },
   "dependencies": {
     "@patternfly/react-catalog-view-extension": "^4.93.15",
diff --git a/packages/module/src/ConsoleInternal/components/markdown-view.tsx b/packages/module/src/ConsoleInternal/components/markdown-view.tsx
@@ -1,6 +1,6 @@
 import * as React from 'react';
 import { css } from '@patternfly/react-styles';
-import { parse } from 'marked';
+import { marked } from 'marked';
 import { useForceRender } from '@console/shared';
 import { QuickStartContext, QuickStartContextValues } from '../../utils/quick-start-context';
 import './_markdown-view.scss';
@@ -53,7 +53,7 @@ export const markdownConvert = async (markdown: string, extensions?: ShowdownExt
 
   // Replace code fences with non markdown formatting relates tokens so that marked doesn't try to parse them as code spans
   const markdownWithSubstitutedCodeFences = markdown.replace(/```/g, '@@@');
-  const parsedMarkdown = await parse(markdownWithSubstitutedCodeFences);
+  const parsedMarkdown = await marked.parse(markdownWithSubstitutedCodeFences);
   // Swap the temporary tokens back to code fences before we run the extensions
   let md = parsedMarkdown.replace(/@@@/g, '```');
 
diff --git a/packages/module/src/declaration.d.ts b/packages/module/src/declaration.d.ts
@@ -1,2 +1,3 @@
 declare module '*.scss';
 declare module '*.json';
+declare module 'marked';
diff --git a/yarn.lock b/yarn.lock
@@ -10645,10 +10645,10 @@ markdown-table@^2.0.0:
   dependencies:
     repeat-string "^1.0.0"
 
-marked@^3.0.0:
-  version "3.0.8"
-  resolved "https://registry.yarnpkg.com/marked/-/marked-3.0.8.tgz#2785f0dc79cbdc6034be4bb4f0f0a396bd3f8aeb"
-  integrity sha512-0gVrAjo5m0VZSJb4rpL59K1unJAMb/hm8HRXqasD8VeC8m91ytDPMritgFSlKonfdt+rRYYpP/JfLxgIX8yoSw==
+marked@^4.0.0:
+  version "4.3.0"
+  resolved "https://registry.yarnpkg.com/marked/-/marked-4.3.0.tgz#796362821b019f734054582038b116481b456cf3"
+  integrity sha512-PRsaiG84bK+AMvxziE/lCFss8juXjNaWzVbN5tXAm4XjeaS9NAHhop+PjQxz2A9h8Q4M/xGmzP8vqNwy6JeK0A==
 
 matcher-collection@^2.0.0:
   version "2.0.1"

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	`declare module '*.scss';`
`2`	`2`	`declare module '*.json';`
	`3`	`+declare module 'marked';`