GHSA-pxmp-fwjc-4x7q

Описание

All versions of marky-markdown are vulnerable to HTML Injection due to a validation bypass. The package only allows iframes where the source is youtube.com but it is possible to bypass the validation with sources where youtube.com is the sub-domain, such as youtube.com.evil.co. This

Recommendation

This package is no longer maintained. Please upgrade to @npmcorp/marky-markdown