From a982880556788d0ed909d70e0996890e803a71e6 Mon Sep 17 00:00:00 2001
From: tomaioo <hongsaygio.com@gmail.com>
Date: Fri, 10 Apr 2026 10:44:45 +0700
Subject: [PATCH] fix(security): third-party javascript loaded from cdn without
 ver

External scripts are loaded from jsDelivr without Subresource Integrity (`integrity` + `crossorigin`) and at least one URL is not version-pinned (`marked.min.js`). If the CDN or dependency supply chain is compromised, malicious JavaScript can be executed in clients.

Affected files: index.html

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
---
 index.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/index.html b/index.html
index 075ecfa1..4b9b7d0e 100644
--- a/index.html
+++ b/index.html
@@ -36,10 +36,10 @@
 	<main></main>
 
 	<!-- JavaScript Library to Convert Markdown into HTML -->
-	<script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script>
+	<script src="https://cdn.jsdelivr.net/npm/marked@12.0.2/marked.min.js" integrity="sha384-Bs4kP6I8rZlHppZArYrusS4x+h0/pk3jfbQ3VIAtF5NCz7L+G2kZZgwyU0YJIUKc" crossorigin="anonymous"></script>
 
 	<!-- Marked plugin to add heading ID's -->
-	<script src="https://cdn.jsdelivr.net/npm/marked-gfm-heading-id/lib/index.umd.js"></script>
+	<script src="https://cdn.jsdelivr.net/npm/marked-gfm-heading-id@4.1.1/lib/index.umd.js" integrity="sha384-lx9H9n1tFoZT3zh0+BTtPlqvGjYH6G+jD/adJzi10BGSAdoo6gWQBaIj++ImQxGc" crossorigin="anonymous"></script>
 
 	<script>
 		// Basic Settings