Update meta-marked to latest version

Meta-marked 0.4.4 which we used from our git repository contains a
RegexDOS attack in the marked dependency. The dependency was already
updated in our meta-marked repository, but not updated in yarn.

This made us still vulnerable to this ReDOS which was able to cause a
DOS attack on the server when updating a note.

For Details:

https://github.com/markedjs/marked/releases/tag/v0.7.0
https://github.com/markedjs/marked/pull/1515

What is a ReDOS?

A ReDOS attack is a DOS attack where an attacker targets a
not-well-written Regular Expression. Regular expressions try to build a
tree of all possibilities it can match in order to figure out if the
given statement is valid or not. A ReDOS attack abuses this concept by
providing a statement that doesn't match but causes extremly huge trees
that simply lead to exhausting CPU usage.

For more details see: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS

Credit:

Huge thanks to @bitinerant for finding this and handling it with a
responsible disclosure.

Also thanks to the `marked`-team for fixing things already.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>

1 files changed, 2 insertions, 2 deletions

diff --git a/package.json b/package.json
index b495ed94..2649d5af 100644
--- a/package.json
+++ b/package.json
@@ -82,7 +82,7 @@
     "mathjax": "~2.7.0",
     "mattermost": "^3.4.0",
     "mermaid": "~8.2.3",
-    "meta-marked": "git+https://github.com/codimd/meta-marked#semver:^0.4.2",
+    "meta-marked": "git+https://github.com/codimd/meta-marked#semver:^0.4.5",
     "method-override": "^2.3.7",
     "minimist": "^1.2.0",
     "minio": "^6.0.0",
@@ -193,8 +193,8 @@
     "mocha": "^5.2.0",
     "mock-require": "^3.0.3",
     "optimize-css-assets-webpack-plugin": "^5.0.0",
-    "sequelize-cli": "^5.4.0",
     "script-loader": "^0.7.2",
+    "sequelize-cli": "^5.4.0",
     "string-loader": "^0.0.1",
     "style-loader": "^0.21.0",
     "uglifyjs-webpack-plugin": "^1.2.7",