Skip to content

Pinned linkify-it to 5.0.2 to address CVE#192

Open
MatthewJamisonJS wants to merge 1 commit into
mainfrom
july_linkify_it_cve
Open

Pinned linkify-it to 5.0.2 to address CVE#192
MatthewJamisonJS wants to merge 1 commit into
mainfrom
july_linkify_it_cve

Conversation

@MatthewJamisonJS

@MatthewJamisonJS MatthewJamisonJS commented Jul 6, 2026

Copy link
Copy Markdown
Member

The bug 🐛

Ran into GHSA-22p9-wv53-3rq4linkify-it has a ReDoS in match(), CVSS 8.7. We don't depend on it directly, it's pulled in twice through markdown-it. Both copies (2.2.0 and 3.0.3) were below the patched 5.0.1.

Proposed Solution

Pinned it via yarn resolutions to ^5.0.1, landed on 5.0.2. Was a little worried since the changelog calls 5.0.0 an "ESM rewrite" — but looking at the published package, it still exports CJS (requirebuild/index.cjs.js) and the API surface (test, match, pretest, tlds) looks the same, so should be safe for our CJS markdown-it versions.

Testing Notes

  • yarn why linkify-it shows one resolved copy at 5.0.2 now.
  • yarn test:ember fails, but same failure happens on main without this change (looks like a stale babel plugin in node_modules, not related to this).
  • Diff is small — package.json +1 line, yarn.lock 12+/13-, no full lockfile rewrite.

@MatthewJamisonJS MatthewJamisonJS requested a review from a team July 6, 2026 19:54
@MatthewJamisonJS MatthewJamisonJS added review-needed dependencies Pull requests that update a dependency file alert cve labels Jul 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

alert cve dependencies Pull requests that update a dependency file review-needed

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant