From ccd58854f71b72cae6b15e6eacae501b4189a28e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tr=E1=BA=A7n=20B=C3=A1ch?=
 <45133811+barttran2k@users.noreply.github.com>
Date: Tue, 7 Apr 2026 21:23:22 +0700
Subject: [PATCH] fix(security): unpinned cdn dependency versions allow supply
 chai
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The `marked` and `marked-gfm-heading-id` libraries are loaded from jsdelivr without pinned versions (`/npm/marked/marked.min.js` and `/npm/marked-gfm-heading-id/lib/index.umd.js`). This means the CDN serves whatever the latest version is, which could change at any time. A malicious version published to npm would be automatically served to all visitors.

Affected files: index.html

Signed-off-by: Trần Bách <45133811+barttran2k@users.noreply.github.com>
---
 index.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/index.html b/index.html
index 5f90ae39..b269ed9e 100644
--- a/index.html
+++ b/index.html
@@ -35,10 +35,10 @@
 	<main></main>
 
 	<!-- JavaScript Library to Convert Markdown into HTML -->
-	<script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script>
+	<script src="https://cdn.jsdelivr.net/npm/marked@12.0.2/marked.min.js"></script>
 
 	<!-- Marked plugin to add heading ID's -->
-	<script src="https://cdn.jsdelivr.net/npm/marked-gfm-heading-id/lib/index.umd.js"></script>
+	<script src="https://cdn.jsdelivr.net/npm/marked-gfm-heading-id@3.2.0/lib/index.umd.js"></script>
 
 	<script>
 		// Basic Settings