Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
This affects all versions of package markdown-it-decorate. An attacker can add an event handler or use javascript:xxx for the link.
Advisories for Npm/Markdown-It-Decorate package
2022