Docsify has CVE-2020-7680 and CVE-2021-21306

[ccoltx]

Apparently the validator tool uses docsify which has a reported CVE-2020-7680. Is there anyway to update this? Or, could we have a JAR file without the GUI packed inside?

https://nvd.nist.gov/vuln/detail/CVE-2020-7680

[rkottmann]

Hi @apenski and @LRabeDE can you work on this?

[rkottmann]

seems that update on version >= 4.11.4 might suffice

[rkottmann]

And many thanks @ccoltx for reporting

[apenski]

Sorry for the late reply. I digged into this and I am not so confident whether upgrading is the best solution since the most recent version has vulnerabilities too: https://snyk.io/test/npm/docsify/4.12.2

The docsify project was not so active in the past 2 years, but made progress recently. I'll raise in issue there and will see how they react. So the question is upgrading, removing or migrating to another (maybe static?) framework for this feature

@ccoltx Anyways, this is only used in daemon mode. If you don't use this mode, you are safe.

@rkottmann there are some other minor updates, which we should release. Let's talk about this

[apenski]

problem already adressed: docsifyjs/docsify#1724

[apenski]

docsifyjs didn't make any progress in replacing the old marked version. We decided to drop the usage in favor of docusaurus and did a complete "rewrite" of the daemon UI

Fixed in main.