There are apparent security issues in marked==0.3.6, 0.3.7 .. solution is to upgrade to 0.3.9 or better. 0.3.12 appears to be latest. Adding esdoc as a dev dependency to my project causes me to have to use npm-shrinkwrap.json to force marked to update, which is a bit less than desireable.