Update flexmark to a modern version and try to avoid CVEs. #16223
Comments
ckipp01
added
itype:bug
stat:needs triage
szymon-rd
added
area:doctool
and removed
stat:needs triage
|
Hello, I would like to help with this issue. I notice that a PR is started but blocked by an error. At least if someone has started a correction or has some suggestions, I am quite interested ! |
ckipp01
added a commit
that referenced
this issue
May 2, 2023
This pr updates the flexmark dependencies used in Scaladoc from 0.42.12, which is from 2019, up to 0.62.2. This is mainly done to tackle a bunch of CVEs that are attached to the old versions of flexmark. fixes #16223 --------- Co-authored-by: Chris Kipp <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Compiler version
All of them that contain the new Scaladoc.
Description
From what I can see since the new Scaladoc was introduced it's using a very old version of Flexmark, 0.42.12. This version was released early in 2019 and has a handful of CVEs attached to it as you can see under Vulnerabilities. Any type of CVE scanning that many places will do will pick this up. There is also a ton of extensions that are being use that are old and also have CVEs attached to them. It looks like even the newest version 0.64.0 still has some, but I feel like it's not a good idea to use something as old as this without ever updating especially seeing that there are CVEs attached to it.
Expectation
I'd expect the dependencies the compiler uses are up to date and that the team does its best to avoid dependencies with published CVEs.
The text was updated successfully, but these errors were encountered: