A markdown parser and compiler. Built for speed.
Installations
npm install markedDeveloper
Developer Guide
Module System
ESM, UMD
Min. Node Version
>= 18
Typescript Support
Yes
Node Version
22.11.0
NPM Version
10.8.2
Statistics
33,279 Stars
3,495 Commits
3,393 Forks
387 Watching
2 Branches
185 Contributors
Updated on 27 Nov 2024
Languages
JavaScript (35.35%)
TypeScript (34.88%)
HTML (29.78%)
Total Downloads
Cumulative downloads
Total Downloads
1,751,770,619
Last day
-0%
2,348,599
Compared to previous day
Last week
5%
12,926,752
Compared to previous week
Last month
26.5%
50,084,334
Compared to previous month
Last year
23.1%
474,992,966
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dev Dependencies
25
Marked
- ⚡ built for speed
- ⬇️ low-level compiler for parsing markdown without caching or blocking for long periods of time
- ⚖️ light-weight while implementing all markdown features from the supported flavors & specifications
- 🌐 works in a browser, on a server, or from a command line interface (CLI)
Demo
Checkout the demo page to see marked in action ⛹️
Docs
Our documentation pages are also rendered using marked 💯
Also read about:
Compatibility
Node.js: Only current and LTS Node.js versions are supported. End of life Node.js versions may become incompatible with Marked at any point in time.
Browser: Not IE11 :)
Installation
CLI:
1npm install -g marked
In-browser:
1npm install marked
Usage
Warning: 🚨 Marked does not sanitize the output HTML. Please use a sanitize library, like DOMPurify (recommended), sanitize-html or insane on the output HTML! 🚨
DOMPurify.sanitize(marked.parse(`<img src="x" onerror="alert('not happening')">`));
CLI
1# Example with stdin input 2$ marked -o hello.html 3hello world 4^D 5$ cat hello.html 6<p>hello world</p>
1# Print all options 2$ marked --help
Browser
1<!doctype html> 2<html> 3<head> 4 <meta charset="utf-8"/> 5 <title>Marked in the browser</title> 6</head> 7<body> 8 <div id="content"></div> 9 <script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script> 10 <script> 11 document.getElementById('content').innerHTML = 12 marked.parse('# Marked in the browser\n\nRendered by **marked**.'); 13 </script> 14</body> 15</html>
or import esm module
1<script type="module"> 2 import { marked } from "https://cdn.jsdelivr.net/npm/marked/lib/marked.esm.js"; 3 document.getElementById('content').innerHTML = 4 marked.parse('# Marked in the browser\n\nRendered by **marked**.'); 5</script>
License
Copyright (c) 2011-2022, Christopher Jeffrey. (MIT License)
Stable Version
The latest stable version of the package.
Stable Version
15.0.2
HIGH
4
7.5/10
Summary
Regular Expression Denial of Service in marked
Affected Versions
< 0.3.4
Patched Versions
0.3.4
7.5/10
Summary
Inefficient Regular Expression Complexity in marked
Affected Versions
< 4.0.10
Patched Versions
4.0.10
7.5/10
Summary
Inefficient Regular Expression Complexity in marked
Affected Versions
< 4.0.10
Patched Versions
4.0.10
7.5/10
Summary
Regular Expression Denial of Service in marked
Affected Versions
< 0.3.9
Patched Versions
0.3.9
MODERATE
11
6.1/10
Summary
Marked vulnerable to XSS from data URIs
Affected Versions
< 0.3.7
Patched Versions
0.3.7
6.1/10
Summary
Sanitization bypass using HTML Entities in marked
Affected Versions
< 0.3.6
Patched Versions
0.3.6
0/10
Summary
Content injection in marked
Affected Versions
< 0.3.9
Patched Versions
0.3.9
0/10
Summary
Regular Expression Denial of Service
Affected Versions
>= 0.5.0, < 0.6.1
Patched Versions
0.6.1
0/10
Summary
Cross-Site Scripting in marked
Affected Versions
< 0.3.9
Patched Versions
0.3.9
0/10
Summary
Moderate severity vulnerability that affects marked
Affected Versions
< 0.3.3
Patched Versions
0.3.3
5.3/10
Summary
Marked ReDoS due to email addresses being evaluated in quadratic time
Affected Versions
>= 0.3.14, < 0.6.2
Patched Versions
0.6.2
5.3/10
Summary
Regular Expression Denial of Service (REDoS) in Marked
Affected Versions
>= 1.1.1, < 2.0.0
Patched Versions
2.0.0
6.1/10
Summary
Multiple Content Injection Vulnerabilities in marked
Affected Versions
<= 0.3.0
Patched Versions
0.3.1
0/10
Summary
Moderate severity vulnerability that affects marked
Affected Versions
< 0.3.9
Patched Versions
0.3.9
0/10
Summary
VBScript Content Injection in marked
Affected Versions
< 0.3.3
Patched Versions
0.3.3
LOW
1
0/10
Summary
Regular Expression Denial of Service in marked
Affected Versions
>= 0.4.0, < 0.7.0
Patched Versions
0.7.0
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
30 commit(s) and 27 issue activity found in the last 90 days -- score normalized to 10
Reason
GitHub workflow tokens follow principle of least privilege
Details
- Info: topLevel 'contents' permission set to 'read': .github/workflows/tests.yml:9
- Info: no jobLevel write permissions found
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
packaging workflow detected
Details
- Info: Project packages its releases by way of GitHub Actions.: .github/workflows/tests.yml:55
Reason
license file detected
Details
- Info: project has a license file: LICENSE.md:0
- Warn: project license file does not contain an FSF or OSI license.
Reason
2 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-7q7g-4xm8-89cq
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
Reason
Found 10/16 approved changesets -- score normalized to 6
Reason
dependency not pinned by hash detected -- score normalized to 3
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/markedjs/marked/tests.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/markedjs/marked/tests.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/markedjs/marked/tests.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/markedjs/marked/tests.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/markedjs/marked/tests.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/markedjs/marked/tests.yml/master?enable=pin
- Info: 0 out of 6 GitHub-owned GitHubAction dependencies pinned
- Info: 3 out of 3 npmCommand dependencies pinned
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 26 are checked with a SAST tool
Score
7.3
/10
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More