Skip to content

security: migrate from markdown to marked (ReDoS fix)#7735

Open
wtfiwtz wants to merge 3 commits into
getredash:masterfrom
orchestrated-io:security/marked-migration
Open

security: migrate from markdown to marked (ReDoS fix)#7735
wtfiwtz wants to merge 3 commits into
getredash:masterfrom
orchestrated-io:security/marked-migration

Conversation

@wtfiwtz
Copy link
Copy Markdown

@wtfiwtz wtfiwtz commented Jun 2, 2026

Summary

Replace the deprecated and vulnerable markdown package with marked to address ReDoS (Regular Expression Denial of Service) vulnerabilities.

Changes

  • package.json: Remove markdown 0.5.0, add marked ^4.3.0
  • TextboxDialog.jsx: Replace markdown.toHTML() → marked.parse()
  • TextboxWidget.jsx: Replace markdown.toHTML() → marked.parse()
  • VisualizationWidget.jsx: Replace markdown.toHTML() → marked.parse()
  • VisualizationEmbed.jsx: Replace markdown.toHTML() → marked.parse()
  • Add empty string fallback (text || "") to prevent null/undefined errors
  • Regenerate pnpm-lock.yaml

CVEs Addressed

The markdown package (0.5.0) is deprecated and contains a ReDoS vulnerability with no available fix. The marked package is a modern, actively maintained alternative with better security and performance.

Code Changes

All markdown.toHTML(text) calls have been replaced with marked.parse(text || "") to ensure safe handling of null/undefined values while maintaining identical HTML output for dashboard textboxes and query descriptions.

Test Results

  • ✅ Frontend tests: All 15 test suites passed (90 tests)
  • ✅ TypeScript compilation: Type checking passed successfully

Related PRs

Part of the frontend security upgrade series split from #7720:

Made with Cursor

@wtfiwtz @cursoragent
security: migrate from markdown to marked (ReDoS fix)
489804c 
Replace the deprecated and vulnerable markdown package with marked to
address ReDoS (Regular Expression Denial of Service) vulnerabilities.

Changes:
- package.json: Remove markdown 0.5.0, add marked ^4.3.0
- TextboxDialog.jsx: Replace markdown.toHTML() → marked.parse()
- TextboxWidget.jsx: Replace markdown.toHTML() → marked.parse()
- VisualizationWidget.jsx: Replace markdown.toHTML() → marked.parse()
- VisualizationEmbed.jsx: Replace markdown.toHTML() → marked.parse()
- Add empty string fallback (text || "") to prevent null/undefined errors
- Regenerate pnpm-lock.yaml

CVEs Addressed:
- GHSA-wx77-rp39-c6vg: ReDoS vulnerability in markdown package

The markdown package (0.5.0) is deprecated and contains a ReDoS
vulnerability with no available fix. The marked package is a modern,
actively maintained alternative with better security and performance.

Code Changes:
All markdown.toHTML(text) calls have been replaced with marked.parse(text || "")
to ensure safe handling of null/undefined values while maintaining
identical HTML output for dashboard textboxes and query descriptions.

Test Results:
- Frontend tests: ✓ All 15 test suites passed (90 tests)
- TypeScript compilation: ✓ Type checking passed

Co-authored-by: Cursor <cursoragent@cursor.com>
This was referenced Jun 2, 2026
Open
Open
Open
Draft
Draft
Closed
@wtfiwtz wtfiwtz marked this pull request as ready for review June 3, 2026 23:26
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Jun 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 8 files

Re-trigger cubic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wtfiwtz