[Snyk] Security upgrade marked from 0.7.0 to 1.1.1 (#1313)

* fix: package.json & package-lock.json to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-MARKED-584281

* fix: fix CompileError

* fix: embed files error

Co-authored-by: Koy <369491420@qq.com>
Co-authored-by: 沈唁 <52o@qq52o.cn>

build/build.js

@@ -22,7 +22,10 @@ async function build(opts) {
     .rollup({
       input: opts.input,
       plugins: (opts.plugins || []).concat([
-        buble(),
+        buble({
+          transforms: {
+            dangerousForOf: true
+          }}),
         commonjs(),
         nodeResolve(),
         replace({
@@ -33,8 +36,8 @@ async function build(opts) {
       onwarn: function (message) {
         if (message.code === 'UNRESOLVED_IMPORT') {
           throw new Error(
-            `Could not resolve module ` + 
-            message.source + 
+            `Could not resolve module ` +
+            message.source +
             `. Try running 'npm install' or using rollup's 'external' option if this is an external dependency. ` +
             `Module ${message.source} is imported in ${message.importer}`
             )

docs/embed-files.md

@@ -62,7 +62,7 @@ Sometimes you don't want to embed a whole file. Maybe because you need just a fe
 [filename](_media/example.js ':include :type=code :fragment=demo')
 ```
 
-In your code file you need to surround the fragment between `/// [demo]` lines (before and after the fragment).  
+In your code file you need to surround the fragment between `/// [demo]` lines (before and after the fragment).
 Alternatively you can use `### [demo]`.
 
 Example:
@@ -153,7 +153,7 @@ The `LABEL` can be any text you want. It acts as a _fallback_ message if the lin
 ### Render a codeblock from a gist
 
 The format is the same as the previous section, but with `:type=code` added to the alt text. As with the [Embedded file type](#embedded-file-type) section, the syntax highlighting will be **inferred** from the extension (e.g. `.js` or `.py`), so you can leave the `type` set as `code`.
- 
+
 Here is the format:
 
 ```markdown

package-lock.json

@@ -9599,9 +9599,9 @@
       }
     },
     "marked": {
-      "version": "0.7.0",
-      "resolved": "https://registry.npmjs.org/marked/-/marked-0.7.0.tgz",
-      "integrity": "sha512-c+yYdCZJQrsRjTPhUx7VKkApw9bwDkNbHUKo1ovgcfDjb2kc8rLuRbIFyXL5WOEUwzSSKo3IXpph2K6DqB/KZg=="
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/marked/-/marked-1.1.1.tgz",
+      "integrity": "sha512-mJzT8D2yPxoPh7h0UXkB+dBj4FykPJ2OIfxAWeIHrvoHDkFxukV/29QxoFQoPM6RLEwhIFdJpmKBlqVM3s2ZIw=="
     },
     "mdn-data": {
       "version": "2.0.4",

package.json

@@ -58,7 +58,7 @@
   },
   "dependencies": {
     "dompurify": "^2.0.8",
-    "marked": "^0.7.0",
+    "marked": "^1.1.1",
     "medium-zoom": "^1.0.5",
     "opencollective-postinstall": "^2.0.2",
     "prismjs": "^1.19.0",

src/core/render/embed.js

@@ -101,7 +101,7 @@ export function prerenderEmbed({ compiler, raw = '', fetch }, done) {
   const compile = compiler._marked;
   let tokens = compile.lexer(raw);
   const embedTokens = [];
-  const linkRE = compile.InlineLexer.rules.link;
+  const linkRE = compile.Lexer.rules.inline.link;
   const links = tokens.links;
 
   tokens.forEach((token, index) => {