Fixing vulnerability

[tianhuil]

https://github.com/prisma/prisma/issues/4738

See: prisma/prisma#4739

[gustawdaniel]

Npm audit shows

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ marked                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.6.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ prisma                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ prisma > prisma-cli-engine > marked                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/812                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ marked                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.7.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ prisma                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ prisma > prisma-cli-engine > marked                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1076                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

So why 0.6.2 version instead of 0.7.0 is chosen?

Below list of breaking changes between these versions

Breaking Changes

• Deprecate sanitize and sanitizer options Sanitize hardening markedjs/marked#1504
• Move fences to CommonMark use correct options in specs markedjs/marked#1511
• Move tables to GFM use correct options in specs markedjs/marked#1511
• Remove tables option use correct options in specs markedjs/marked#1511
• Single backtick in link text needs to be escaped Link label security markedjs/marked#1515

Source

https://github.com/markedjs/marked/releases

[gustawdaniel]

Why no one accepted this pull request?

@steebchen I see that you have last merged pull request. Do you know what criteria need to be satisfied for pull request acceptance or rejection? Who can make decision in this topic?

[dannyfreeman]

Is this ever going to get merged in?

[gustawdaniel]

@dannyfreeman Probably something terrible happened in prisma development team

Frequency of commits dropped down dramatically.

[steebchen]

Hey guys, this is likely not ever going to be merged, as this repository is unmaintained in favor of the Prisma Framework ("Prisma 2") where all our development goes into. For more information, see the pinned issue https://github.com/prisma/prisma/issues/4898.

Regarding the content of this PR, we don't believe this is critical to fix as this just affects the CLI, which you will not use on a production server. If you want to see what we're up to these days, please check out https://github.com/prisma/prisma2.

[dannyfreeman]

Thanks for linked that pinned issue. I hadn't seen it before. It would still be nice to see this change included with the next round of security and maintenance fixes that the linked issues says will still be happening. So long as the new version of this dependency hasn't introduced any breaking changes for the cli.