Update marked javascript package from 0.3.12 to 4.0.18

Issue created from vulnerability 32191286

marked is also in this vulnerability: https://gitlab.com/gitlab-org/gitlab/-/security/vulnerabilities/32191285

I presume that marked, being a markdown parser, receives and parses input from our users. I can't see us calling the methods in the description explicitly, but the PoC makes it look as though the attack is fairly simple. If we aren't vulnerable we can downgrade this.

Description:

The regular expression block.def and inline.reflinkSearch may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

• Severity: high
• Confidence: unknown
• Location: yarn.lock

A PoC from the GitHub Advisory:

import * as marked from 'marked';

console.log(marked.parse(`[x]: x

\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));

Solution:

Upgrade to version 4.0.10 or above.

Identifiers:

• Gemnasium-dc02f221-a495-47d1-9841-0b4dbd4a2ba3
• CVE-2022-21680
• GHSA-rrrm-qjm4-v8hf

Links:

• https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0
• https://github.com/markedjs/marked/releases/tag/v4.0.10
• https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf
• https://nvd.nist.gov/vuln/detail/CVE-2022-21680

Scanner:

• Name: Gemnasium