Don't use marked
With all love to the maintainers, who are good people and are to some extent bound by their obligation to maintain compatibility, I just have to put it out there: if you have a new JavaScript/TypeScript project and you need to parse or render Markdown, why are you using marked
?
In my mind, there are a few high priorities for Markdown parsers:
- Security: marked isn’t secure by default. Yes, you can absolutely run DOMPurify on its output, but will you forget? Sure!
- Standards: it’s nice to follow Commonmark! The original Markdown specification was famously permissive and imprecise. If you want to be able to switch Markdown renderers in the future, it’s going to be a lot nicer if you have a tight standard to rely on, to guarantee that you’ll get the same output.
- Performance: Markdown rendering probably isn’t a bottleneck for your application, but it shouldn’t be.
So, yeah. Marked is pretty performant, but it’s not secure, it’s doesn’t follow a standard - we can do better!
Use instead:
- micromark: the “micro” Markdown parser primarily by wooorm, which is tiny, follows Commonmark. It’s great. Solid default.
- remark: the most extensible Markdown parser you could ever imagine, also by wooorm.
- markdown-it: don’t like wooorm’s style? markdown-it is pretty good too, secure by default, and commonmark-supporting.
marked is really popular. It used to be the best option. But there are better options, use them!