Update marked to resolve CVE-2022-21681

[humble-barnacle001]

• Resolves GHSA-5v2h-r2cx-5xgj. Also closes bug: There are a High Vulnerability on marked dependences #112
• Updates package-lock.json to lockfileVersion 1 as is required for "engines": {"node": ">=12.0"},

$ npm -v
6.14.15

$ node -v
v12.22.9

[simonhaenisch]

Wrong lockfile version but thanks for the PR and issue!

[humble-barnacle001]

Thanks for the release @simonhaenisch.

I have a suggestion regarding the lockfileVersion in package-lock.json: since the line https://github.com/simonhaenisch/md-to-pdf/blob/master/package.json#L17 mentions "engines": {"node": ">=12.0"}, and as per https://docs.npmjs.com/cli/v8/configuring-npm/package-lock-json#lockfileversion npm v6 (compatible with node v12.x) should use lockfileVersion: 1

[simonhaenisch]

npm 8 is also compatible with Node 12.

[humble-barnacle001]

npm 8 is also compatible with Node 12.

Yes but suppose we install node 12 then by default we get npm v6 which requires version 1. As per the requirements, we install node v12 only as there is no mention of npm version so we assume that we have to support the default version of npm too

[simonhaenisch]

The package-lock is not part of what gets packed, i. e. doesn't exist when installing the package from npm. Thus it's only relevant for development, whereas the engines field in package.json is relevant for runtime compatibility.

[humble-barnacle001]

The package-lock is not part of what gets packed, i. e. doesn't exist when installing the package from npm. Thus it's only relevant for development, whereas the engines field in package.json is relevant for runtime compatibility.

Ohh ok thanks.