We are seeing a warning on builds of out internal distributed JS tracing solution.
Our vulnerability catcher - SNYK - is blocking builds due to picking up an issue with the marked (https://www.npmjs.com/package/marked) lib introduced through js-doc (https://www.npmjs.com/package/jsdoc) which is used in thrift (https://github.com/apache/thrift/blob/0.13.0/package.json#L52).
We have noticed that js-doc is using the Latest Release version, which in fact is pointing to an older release version; js-doc is at 3.5.5 (2017) while the actual latest is 3.6.4.
The vulnerability in the marked lib is described here: https://snyk.io/vuln/SNYK-JS-MARKED-174116
Since this is a dev dependency and, a MEDIUM SEVERITY score, it would be cool if we had the dependency (js-doc) to take advantage of the fixes therein.
We can then notify Lightstep to make an update.