Skip to content

fix: Upgrade markmap dependencies to resolve security vulnerabilities #46

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kimtaeyo merged 1 commit into from
Dec 31, 2025
Merged

fix: Upgrade markmap dependencies to resolve security vulnerabilities #46

kimtaeyo merged 1 commit into from
Dec 31, 2025

Conversation

@fangxiaoran
Copy link
Contributor

@fangxiaoran fangxiaoran commented Dec 26, 2025

Summary

Upgrades esbuild and markmap-cli dependencies to resolve security vulnerabilities while maintaining backward compatibility.

Changes

  • esbuild: Upgraded from ^0.19.0 to ^0.27.2
    • Fixes moderate severity vulnerability
  • markmap-cli: Upgraded from ^0.16.0 to ^0.18.12
    • Fixes high severity vulnerabilities in hono dependency

Technical Details

The markmap-cli 0.18.12 introduced breaking changes in its package structure:

  • Entry point changed from dist/index.js to dist/cli.js
  • Removed main() function export, now executes directly on require

Solution:

  • Updated create-bundle.js to auto-detect the correct CLI entry point
  • Updated markmap-wrapper.js to handle both old and new execution patterns
  • Maintains backward compatibility with both package versions

Testing

  • ✅ Clean build successful
  • ✅ Standalone executable (markmap-standalone.exe) verified working
  • ✅ Full build script (build.bat) tested
  • ✅ Python MCP server executable builds successfully
  • ✅ All dependencies properly bundled

Security Impact

Resolves npm audit vulnerabilities:

  • esbuild: 1 moderate severity issue
  • hono (via markmap-cli): 1 high severity issue

Only remaining vulnerability is in pkg (dev dependency, no fix available).

@fangxiaoran
fix: upgrade markmap dependencies to resolve security vulnerabilities
40a3461 
- Upgrade esbuild from ^0.19.0 to ^0.27.2 (fixes moderate severity vulnerability)
- Upgrade markmap-cli from ^0.16.0 to ^0.18.12 (fixes high severity hono vulnerabilities)
- Update create-bundle.js to auto-detect CLI entry point (dist/cli.js vs dist/index.js)
- Update markmap-wrapper.js to handle both old and new execution patterns
- Maintain backward compatibility with both package versions
- Build tested and verified working with all dependencies bundled

Signed-off-by: Fang, Xiaoran <xiaoran.fang@intel.com>
kimtaeyo
kimtaeyo approved these changes Dec 31, 2025
View reviewed changes
Copy link
Contributor

@kimtaeyo kimtaeyo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It works as expected. Thank you!

@kimtaeyo kimtaeyo merged commit f93febc into intel:main Dec 31, 2025
@kimtaeyo kimtaeyo deleted the fix/markmap-security-vulnerabilities branch December 31, 2025 02:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kimtaeyo kimtaeyo kimtaeyo approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fangxiaoran @kimtaeyo