mdast-zone - npm Package Compare versions

Comparing version 3.0.4 to 4.0.0

package.json

 {
   "name": "mdast-zone",
-  "version": "3.0.4",
-  "description": "HTML comments as ranges in remark",
+  "version": "4.0.0",
+  "description": "mdast utility to treat HTML comments as ranges or markers",
   "license": "MIT",
   "keywords": [
     "unist",
+    "mdast",
+    "mdast-util",
     "util",
@@ -15,7 +17,10 @@ "utility",
     "range",
-    "marker",
-    "mdast"
+    "marker"
   ],
   "repository": "syntax-tree/mdast-zone",
   "bugs": "https://github.com/syntax-tree/mdast-zone/issues",
+  "funding": {
+    "type": "opencollective",
+    "url": "https://opencollective.com/unified"
+  },
   "author": "Titus Wormer <tituswormer@gmail.com> (https://wooorm.com)",
@@ -29,17 +34,17 @@ "contributors": [
   "dependencies": {
-    "mdast-comment-marker": "^1.0.1",
-    "unist-util-visit": "^1.0.0"
+    "mdast-comment-marker": "^1.0.0",
+    "unist-util-visit": "^2.0.0"
   },
   "devDependencies": {
     "browserify": "^16.0.0",
-    "is-hidden": "^1.0.1",
+    "is-hidden": "^1.0.0",
     "negate": "^1.0.0",
-    "nyc": "^14.0.0",
+    "nyc": "^15.0.0",
     "prettier": "^1.0.0",
-    "remark": "^10.0.0",
-    "remark-cli": "^6.0.0",
-    "remark-preset-wooorm": "^5.0.0",
+    "remark": "^11.0.0",
+    "remark-cli": "^7.0.0",
+    "remark-preset-wooorm": "^6.0.0",
     "tape": "^4.0.0",
     "tinyify": "^2.0.0",
-    "xo": "^0.24.0"
+    "xo": "^0.26.0"
   },
@@ -46,0 +51,0 @@ "scripts": {

readme.md

@@ -23,3 +23,3 @@ # mdast-zone
 
-## Usage
+## Use
 
@@ -105,2 +105,28 @@ Say we have the following file, `example.md`:
 
+## Security
+
+Improper use of `handler` can open you up to a [cross-site scripting (XSS)][xss]
+attack as the value it returns is injected into the syntax tree.
+This can become a problem if the tree is later transformed to [**hast**][hast].
+The following example shows how a script is injected that could run when loaded
+in a browser.
+
+```js
+function handler(start, nodes, end) {
+  return [start, {type: 'html', value: 'alert(1)'}, end]
+}
+```
+
+Yields:
+
+```markdown
+<!--foo start-->
+
+<script>alert(1)</script>
+
+<!--foo end-->
+```
+
+Either do not use user input or use [`hast-util-santize`][sanitize].
+
 ## Contribute
@@ -112,4 +138,4 @@
 
-This project has a [Code of Conduct][coc].
-By interacting with this repository, organisation, or community you agree to
+This project has a [code of conduct][coc].
+By interacting with this repository, organization, or community you agree to
 abide by its terms.
@@ -145,3 +171,3 @@
 
-[chat-badge]: https://img.shields.io/badge/join%20the%20community-on%20spectrum-7b16ff.svg
+[chat-badge]: https://img.shields.io/badge/chat-spectrum-7b16ff.svg
 
@@ -173,1 +199,7 @@ [chat]: https://spectrum.chat/unified/syntax-tree
 [html]: https://github.com/syntax-tree/mdast#html
+
+[xss]: https://en.wikipedia.org/wiki/Cross-site_scripting
+
+[hast]: https://github.com/syntax-tree/hast
+
+[sanitize]: https://github.com/syntax-tree/hast-util-sanitize

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

9228

increased by10.54%

Number of lines in readme file

201

increased by18.93%

Dependency changes

• + Added@types/unist@2.0.11(transitive)

• + Addedunist-util-is@4.1.0(transitive)

• + Addedunist-util-visit@2.0.3(transitive)

• + Addedunist-util-visit-parents@3.1.1(transitive)

• - Removedunist-util-is@3.0.0(transitive)

• - Removedunist-util-visit@1.4.1(transitive)

• - Removedunist-util-visit-parents@2.1.2(transitive)

• Updatedmdast-comment-marker@^1.0.0

• Updatedunist-util-visit@^2.0.0