[npm] Use Showdownjs instead of markdown-to-html for converting Markdown to HTML

Tadashi Shigeoka ·  Tue, April 9, 2019

There are several npm packages for converting Markdown to HTML in Node.js, but I recommend using Showdownjs instead of markdown-to-html.

npm

Prerequisites

Here are the links for both markdown-to-html and Showdownjs respectively.

markdown-to-html

Showdownjs

markdown-to-html has vulnerabilities

The main reason I recommend Showdownjs is that markdown-to-html has vulnerabilities.

npm install shows vulnerabilities

$ npm install
audited 271 packages in 1.191s
found 2 vulnerabilities (1 moderate, 1 critical)
  run `npm audit fix` to fix them, or `npm audit` for details

npm audit security report

When I ran the npm audit command, the following npm audit security report was output.

$ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Command Injection                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ open                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >0.0.5                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ markdown-to-html [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ markdown-to-html > open                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/663                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Memory Exposure                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ bl                                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.9.5 <1.0.0 || >=1.0.1                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ markdown-to-html [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ markdown-to-html > pygmentize-bundled > bl                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/596                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 2 vulnerabilities (1 moderate, 1 critical) in 271 scanned packages
  2 vulnerabilities require manual review. See the full report for details.

That’s all from the Gemba, where we want to keep using libraries without vulnerabilities.