{"id":16115,"library":"marked","title":"Marked.js Markdown Parser","description":"Marked.js is a high-performance Markdown parser designed to efficiently convert Markdown text into HTML. It is currently at version 18.0.2 and maintains a very active release cadence, with frequent patch and minor versions often released weekly or bi-weekly, and major versions arriving every few months. Key differentiators include its strong focus on speed, its architecture as a low-level compiler that avoids caching and prolonged blocking operations, and its lightweight footprint. It aims to implement all Markdown features from supported specifications and is versatile, capable of running in browser environments, on a server (Node.js), or via its command-line interface. A critical consideration for users is that Marked.js intentionally does *not* sanitize its HTML output, necessitating the integration of a separate sanitization library like DOMPurify for any security-sensitive applications.","status":"active","version":"18.0.2","language":"javascript","source_language":"en","source_url":"git://github.com/markedjs/marked","tags":["javascript","markdown","markup","html","typescript"],"install":[{"cmd":"npm install marked","lang":"bash","label":"npm"},{"cmd":"yarn add marked","lang":"bash","label":"yarn"},{"cmd":"pnpm add marked","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"For ESM environments, `marked` is a named export containing the `parse` function and other utilities. CommonJS `require` should generally be avoided in modern Node.js projects unless explicit CJS interop is needed.","wrong":"const marked = require('marked');","symbol":"marked","correct":"import { marked } from 'marked';"},{"note":"The primary parsing function can be directly imported as a named export `parse` for convenience. Be aware that importing `marked` as a default might lead to issues if the main export structure changes or if using older bundlers.","wrong":"import marked from 'marked'; // then marked('text')","symbol":"parse","correct":"import { parse } from 'marked';"},{"note":"This is a TypeScript type definition used for creating custom extensions. It should only be imported using `import type` to avoid bundling unnecessary runtime code.","wrong":"import { MarkedExtension } from 'marked'; // for runtime usage","symbol":"MarkedExtension","correct":"import type { MarkedExtension } from 'marked';"}],"quickstart":{"code":"import { marked } from 'marked';\nimport DOMPurify from 'dompurify';\n\nconst markdownInput = `# Hello from Marked.js!\n\nThis is a paragraph with **bold** and *italic* text.\n\n- List item 1\n- List item 2\n\n### Code Example\n\n```javascript\nfunction greet(name) {\n  console.log('Hello, ' + name + '!');\n}\ngreet('World');\n```\n\n<script>alert('XSS attempt!');</script>`;\n\n// Parse the markdown to HTML\nconst unsafeHTML = marked.parse(markdownInput);\n\n// Sanitize the HTML output (CRITICAL STEP for untrusted input)\nconst safeHTML = DOMPurify.sanitize(unsafeHTML);\n\nconsole.log('--- Unsafe HTML (for demonstration) ---\\n', unsafeHTML);\nconsole.log('\\n--- Safe HTML (after DOMPurify) ---\\n', safeHTML);\n\n// Example with custom options\nmarked.setOptions({\n  gfm: true, // GitHub Flavored Markdown\n  breaks: true, // Interpret line breaks as <br/>\n  headerIds: false // Disable auto-generated header IDs\n});\n\nconst customParsedHTML = DOMPurify.sanitize(marked.parse(`## Custom Options Test\\nLine 1\\nLine 2`));\nconsole.log('\\n--- HTML with Custom Options ---\\n', customParsedHTML);\n","lang":"typescript","description":"Demonstrates basic Markdown parsing with Marked.js, including critical HTML sanitization using DOMPurify and configuring options."},"warnings":[{"fix":"Upgrade your project's TypeScript version to 6.0.2 or newer, or ensure your tsconfig.json is configured to support the types.","message":"Marked.js versions 18.0.0 and above now depend on TypeScript 6.0.2. Projects using older TypeScript versions or specific TS features that are incompatible with this version may encounter compilation issues. Ensure your project's TypeScript setup is compatible.","severity":"breaking","affected_versions":">=18.0.0"},{"fix":"Review custom Marked.js extensions, especially those dealing with lists, tokens, or renderers, and update them to align with the new internal token and renderer structures as documented in the Marked.js extensibility guide.","message":"Version 17.0.0 introduced significant internal changes to how tokenizers and renderers operate, specifically affecting consecutive text tokens in lists, the `listItem` renderer, and the addition of a `CheckboxToken` with new `type` and `raw` properties. Custom extensions that directly interact with or override these internal mechanisms will likely require updates.","severity":"breaking","affected_versions":">=17.0.0"},{"fix":"ALWAYS sanitize the HTML output using a dedicated sanitization library like DOMPurify (recommended) or sanitize-html before rendering it in a browser context. This step is critical for security.","message":"Marked.js explicitly does NOT sanitize its HTML output. Directly rendering output from untrusted Markdown input can lead to Cross-Site Scripting (XSS) vulnerabilities. This is a deliberate design choice for performance and flexibility.","severity":"gotcha","affected_versions":">=0.1.0"},{"fix":"Ensure your Node.js environment is always an actively maintained LTS or current release. Refer to the official Node.js releases page for up-to-date information.","message":"Marked.js only supports current and LTS (Long Term Support) Node.js versions. Using End-of-Life (EOL) Node.js versions may lead to unexpected behavior, compatibility issues, or even prevent the library from functioning correctly at any point.","severity":"gotcha","affected_versions":">=0.1.0"},{"fix":"Regularly update Marked.js to the latest stable version to benefit from security patches and performance improvements. Avoid crafting custom regular expressions for Markdown parsing without thorough ReDoS testing.","message":"Previous versions of Marked.js (e.g., v17.0.4, v17.0.5) contained fixes for Redos (Catastrophic Backtracking) vulnerabilities in its internal regular expressions. While fixed in current releases, this highlights the importance of keeping the library updated to protect against potential Denial-of-Service attacks when parsing malicious or overly complex Markdown input.","severity":"gotcha","affected_versions":"<17.0.6"}],"env_vars":null,"last_verified":"2026-04-21T00:00:00.000Z","next_check":"2026-07-20T00:00:00.000Z","problems":[{"fix":"Change your import statement to `import { marked } from 'marked';` or `import { parse } from 'marked';` for ESM environments.","cause":"Attempting to use `require()` for Marked.js in an ECMAScript Module (ESM) context (e.g., `\"type\": \"module\"` in package.json, or `.mjs` files) where CommonJS `require` is not natively available.","error":"ReferenceError: require is not defined"},{"fix":"For Node.js/bundlers using ESM, ensure you use `import { marked } from 'marked';` and then call `marked.parse()`. If using the browser UMD bundle (`marked.umd.js`), the `marked` global object should have the `parse` method directly.","cause":"This usually occurs when attempting to call `marked.parse()` after importing `marked` as a default export (`import marked from 'marked';`) in an environment where `marked` is a named export object, or when using an incorrect UMD/browser script.","error":"TypeError: marked.parse is not a function"},{"fix":"Integrate a robust HTML sanitization library, such as DOMPurify, and run the `marked.parse()` output through it before rendering. Example: `DOMPurify.sanitize(marked.parse(input))`.","cause":"Markdown input contained malicious HTML or scripts (e.g., `<script>alert('xss')</script>`), and the output HTML was rendered without proper sanitization. Marked.js does not sanitize its output by design.","error":"Unescaped HTML or XSS vulnerability detected in output."}],"ecosystem":"npm"}