Merge pull request #1 from BunsDev/okcode/fix-security-alerts

Harden preview security defaults and deps

Author: BunsDev

.github/workflows/ci.yml

@@ -32,6 +32,9 @@ jobs:
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
+
+      - name: Run security audit
+        run: pnpm run security-audit --strict
 
       - name: Build packages
         run: pnpm run build

README.md

@@ -73,6 +73,7 @@ const themed = applyPreviewTheme(raw); // wraps elements with cm-* classes
 ```
 
 Pair with any theme CSS (`github.css`, `github-dark.css`, `minimal.css`, or `system.css`) and the styled output just works.
+Sanitize untrusted HTML before assigning the themed output to the DOM.
 
 ### React Components
 
@@ -117,6 +118,8 @@ const html = await renderAsync(blocks, {
 });
 ```
 
+Preview output is intended for trusted content by default. If the markdown or generated HTML can come from users, sanitize it before rendering.
+
 ### CSS Custom Property Theming
 
 The `system.css` theme uses CSS custom properties so it adapts to any design system:
@@ -148,7 +151,7 @@ import '@create-markdown/preview/themes/system.css';
 
 ### BYO Sanitizer
 
-Pass any sanitizer function instead of relying on a built-in implementation:
+Pass any sanitizer function when rendering untrusted content:
 
 ```typescript
 import { blocksToHTML } from '@create-markdown/preview';
@@ -193,6 +196,8 @@ Use `shadowMode: 'none'` to render in the light DOM and inherit page styles:
 registerPreviewElement({ shadowMode: 'none' });
 ```
 
+The web component also assumes trusted markdown by default, so sanitize user-provided content before passing it in.
+
 ## Documentation
 
 | Document | Description |

SECURITY.md

@@ -6,8 +6,8 @@ We release patches for security vulnerabilities in the following versions:
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 1.x.x   | :white_check_mark: |
-| < 1.0   | :x:                |
+| 2.x.x   | :white_check_mark: |
+| < 2.0   | :x:                |
 
 ## Reporting a Vulnerability
 
@@ -16,7 +16,7 @@ We take the security of create-markdown seriously. If you discover a security vu
 ### How to Report
 
 1. **Do not** open a public GitHub issue for security vulnerabilities
-2. Email your findings to **val@viewdue.ai** (replace with your actual security email)
+2. Email your findings to **val@viewdue.ai**
 3. Alternatively, use [GitHub's private vulnerability reporting](https://github.com/BunsDev/create-markdown/security/advisories/new)
 
 ### What to Include
@@ -51,10 +51,11 @@ We will not pursue civil action or initiate a complaint to law enforcement for a
 When using create-markdown in your projects:
 
 1. **Sanitize User Input**: Always sanitize markdown content from untrusted sources before rendering
-2. **Keep Dependencies Updated**: Regularly update to the latest version to receive security patches
-3. **Content Security Policy**: Implement appropriate CSP headers when rendering markdown in browsers
-4. **Review Generated HTML**: Be cautious with HTML output, especially when allowing raw HTML in markdown
+2. **Treat Mermaid as Trusted by Default**: Use `mermaidPlugin({ config: { securityLevel: 'strict' } })` when diagram text can come from users
+3. **Keep Dependencies Updated**: Regularly update to the latest version to receive security patches
+4. **Content Security Policy**: Implement appropriate CSP headers when rendering markdown in browsers
+5. **Review Generated HTML**: Be cautious with HTML output, especially when allowing raw HTML in markdown
 
 ## Acknowledgments
 
-We appreciate the security research community's efforts in helping keep create-markdown secure. Contributors who report valid security issues will be acknowledged here (with their permission).
+We appreciate the security research community's efforts in helping keep create-markdown secure. Contributors who report valid security issues will be acknowledged here (with their permission).

package.json

@@ -38,13 +38,18 @@
   "devDependencies": {
     "@changesets/cli": "^2.27.0",
     "@testing-library/react": "^16.0.0",
-    "@vitejs/plugin-react": "^4.3.0",
     "jsdom": "^25.0.0",
     "tsup": "^8.5.1",
     "tsx": "^4.21.0",
     "turbo": "^2.3.0",
     "typescript": "^5.3.0",
-    "vitest": "^2.1.0"
+    "vite": "^7.1.11",
+    "vitest": "^4.1.2"
+  },
+  "pnpm": {
+    "overrides": {
+      "lodash-es": "4.18.1"
+    }
   },
   "packageManager": "pnpm@10.11.1",
   "engines": {

packages/core/CHANGELOG.md

@@ -1,5 +1,15 @@
 # @create-markdown/core
 
+## 2.0.1
+
+### Patch Changes
+
+- Patch release to publish the security remediation update across all packages.
+
+  - refresh vulnerable dependency resolutions in the workspace
+  - ship the pnpm-based security audit improvements
+  - document trusted-content expectations for preview rendering
+
 ## 2.0.0
 
 ### Major Changes

packages/core/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@create-markdown/core",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "description": "Block-based markdown parsing and serialization with zero dependencies",
   "author": "Val Alexander <val@viewdue.ai>",
   "license": "MIT",
@@ -51,7 +51,8 @@
   },
   "devDependencies": {
     "typescript": "^5.3.0",
-    "vitest": "^2.1.0"
+    "vite": "^7.1.11",
+    "vitest": "^4.1.2"
   },
   "engines": {
     "node": ">=20.0.0"

packages/core/src/index.ts

@@ -259,4 +259,4 @@ export function toMarkdown(blocksOrDoc: Block[] | { blocks: Block[] }): string {
 /**
  * Package version
  */
-export const VERSION = '2.0.0';
+export const VERSION = '2.0.1';

packages/create-markdown/CHANGELOG.md

@@ -1,5 +1,20 @@
 # create-markdown
 
+## 2.0.1
+
+### Patch Changes
+
+- Patch release to publish the security remediation update across all packages.
+
+  - refresh vulnerable dependency resolutions in the workspace
+  - ship the pnpm-based security audit improvements
+  - document trusted-content expectations for preview rendering
+
+- Updated dependencies
+  - @create-markdown/core@2.0.1
+  - @create-markdown/react@2.0.1
+  - @create-markdown/preview@2.0.1
+
 ## 2.0.0
 
 ### Major Changes

packages/create-markdown/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-markdown",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "description": "Complete block-based markdown notes package - convenience bundle for @create-markdown packages",
   "author": "Val Alexander <val@viewdue.ai>",
   "license": "MIT",

packages/create-markdown/src/index.ts

@@ -15,4 +15,4 @@ export * from '@create-markdown/core';
 /**
  * Package version
  */
-export const VERSION = '2.0.0';
+export const VERSION = '2.0.1';