0

A XSS vulnerability was fixed in the marked library, with no new version yet bumped to npm. What are my options here to update my application with this fix (i.e. applying the fix, without manually adding the updated library code unmanaged by NPM)?

The commit can be found here. https://github.com/chjj/marked/commit/cd2f6f5b7091154c5526e79b5f3bfb4d15995a51

I'd prefer to keep using NPM to retain control over versioning of packages in the project.

  1. Is there a way to do an NPM install on the (specific) github version including the fix?
MattV
  • 1,353
  • 18
  • 42
  • Possible duplicate of [How to install an npm package from GitHub directly?](http://stackoverflow.com/questions/17509669/how-to-install-an-npm-package-from-github-directly) – jonrsharpe May 20 '17 at 08:50
  • Not the same. I'm looking for specifically the version that was committed in the link provided, i.e. let npm package.json link to this committed version and treating it as a 'special' version 0.3.6 until the fix is pushed to npm in a new release. – MattV May 21 '17 at 00:35
  • You can point to a specific commit or tag, see e.g. http://stackoverflow.com/a/27630247/3001761. Beyond that it's unclear what behaviour you're looking for. – jonrsharpe May 21 '17 at 07:18

0 Answers0