diff --git a/0001-CVE-2022-21680.patch b/0001-CVE-2022-21680.patch
new file mode 100644
index 0000000..f20a0ec
--- /dev/null
+++ b/0001-CVE-2022-21680.patch
@@ -0,0 +1,64 @@
+diff -Naur marked-2.0.0/src/rules.js marked-2.0.0~/src/rules.js
+--- marked-2.0.0/src/rules.js 2021-02-08 06:26:26.000000000 +0800
++++ marked-2.0.0~/src/rules.js 2022-09-02 11:01:07.576853870 +0800
+@@ -25,7 +25,7 @@
+ + '|<(?!script|pre|style)([a-z][\\w-]*)(?:attribute)*? */?>(?=[ \\t]*(?:\\n|$))[\\s\\S]*?(?:\\n{2,}|$)' // (7) open tag
+ + '|(?=[ \\t]*(?:\\n|$))[\\s\\S]*?(?:\\n{2,}|$)' // (7) closing tag
+ + ')',
+- def: /^ {0,3}\[(label)\]: *\n? *]+)>?(?:(?: +\n? *| *\n *)(title))? *(?:\n+|$)/,
++ def: /^ {0,3}\[(label)\]: *(?:\n *)?]+)>?(?:(?: +(?:\n *)?| *\n *)(title))? *(?:\n+|$)/,
+ nptable: noopTest,
+ table: noopTest,
+ lheading: /^([^\n]+)\n {0,3}(=+|-+) *(?:\n+|$)/,
+@@ -35,7 +35,7 @@
+ text: /^[^\n]+/
+ };
+
+-block._label = /(?!\s*\])(?:\\[\[\]]|[^\[\]])+/;
++block._label = /(?!\s*\])(?:\\.|[^\[\]\\])+/;
+ block._title = /(?:"(?:\\"?|[^"\\])*"|'[^'\n]*(?:\n[^'\n]+)*\n?'|\([^()]*\))/;
+ block.def = edit(block.def)
+ .replace('label', block._label)
+@@ -170,8 +170,8 @@
+ + '|^' // declaration, e.g.
+ + '|^', // CDATA section
+ link: /^!?\[(label)\]\(\s*(href)(?:\s+(title))?\s*\)/,
+- reflink: /^!?\[(label)\]\[(?!\s*\])((?:\\[\[\]]?|[^\[\]\\])+)\]/,
+- nolink: /^!?\[(?!\s*\])((?:\[[^\[\]]*\]|\\[\[\]]|[^\[\]])*)\](?:\[\])?/,
++ reflink: /^!?\[(label)\]\[(ref)\]/,
++ nolink: /^!?\[(ref)\](?:\[\])?/,
+ reflinkSearch: 'reflink|nolink(?!\\()',
+ emStrong: {
+ lDelim: /^(?:\*+(?:([punct_])|[^\s*]))|^_+(?:([punct*])|([^\s_]))/,
+@@ -238,6 +238,11 @@
+
+ inline.reflink = edit(inline.reflink)
+ .replace('label', inline._label)
++ .replace('ref', block._label)
++ .getRegex();
++
++inline.nolink = edit(inline.nolink)
++ .replace('ref', block._label)
+ .getRegex();
+
+ inline.reflinkSearch = edit(inline.reflinkSearch, 'g')
+diff -Naur marked-2.0.0/test/specs/redos/cubic_def.cjs marked-2.0.0~/test/specs/redos/cubic_def.cjs
+--- marked-2.0.0/test/specs/redos/cubic_def.cjs 1970-01-01 08:00:00.000000000 +0800
++++ marked-2.0.0~/test/specs/redos/cubic_def.cjs 2022-09-02 10:50:19.562274563 +0800
+@@ -0,0 +1,4 @@
++module.exports = {
++ markdown: `[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`,
++ html: `[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x
`,
++};
+diff -Naur marked-2.0.0/test/specs/redos/reflink_redos.html marked-2.0.0~/test/specs/redos/reflink_redos.html
+--- marked-2.0.0/test/specs/redos/reflink_redos.html 1970-01-01 08:00:00.000000000 +0800
++++ marked-2.0.0~/test/specs/redos/reflink_redos.html 2022-09-02 10:50:42.510544453 +0800
+@@ -0,0 +1 @@
++[[]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([]([
+diff -Naur marked-2.0.0/test/specs/redos/reflink_redos.md marked-2.0.0~/test/specs/redos/reflink_redos.md
+--- marked-2.0.0/test/specs/redos/reflink_redos.md 1970-01-01 08:00:00.000000000 +0800
++++ marked-2.0.0~/test/specs/redos/reflink_redos.md 2022-09-02 10:51:08.129845768 +0800
+@@ -0,0 +1,3 @@
++[x]: x
++
++[\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\](\[\]([
diff --git a/marked.spec b/marked.spec
index 350d8fb..ae1e947 100644
--- a/marked.spec
+++ b/marked.spec
@@ -4,11 +4,12 @@
Name: marked
Version: 2.0.0
-Release: 3
+Release: 4
Summary: A markdown parser for Node.js built for speed
License: MIT
URL: https://github.com/markedjs/%{name}
Source0: https://github.com/markedjs/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Patch1: 0001-CVE-2022-21680.patch
BuildArch: noarch
@@ -65,6 +66,7 @@ Install this for the minified web assests for nodejs-marked.
%prep
%setup -q -n %{name}-%{version}
+%patch1 -p1
# remove the bundled minified marked
rm -f marked.min.js
@@ -131,6 +133,9 @@ npm run test
%{_jsdir}/%{name}
%changelog
+* Fri Sep 2 2022 douyan - 2.0.0-4
+- fix CVE-2022-21680
+
* Thu Jun 2 2022 peijiankang - 2.0.0-3
- Init Package for openEuler