Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update dependency markdown-it to v12 [security] #852

Closed
wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 30, 2023

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
markdown-it 10.0.0 -> 12.3.2 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2022-21670

Impact

Special patterns with length > 50K chars can slow down parser significantly.

const md = require('markdown-it')();

md.render(`x ${' '.repeat(150000)} x  \nx`);

Patches

Upgrade to v12.3.2+

Workarounds

No.

References

Fix + test sample: markdown-it/markdown-it@ffc49ab


Release Notes

markdown-it/markdown-it (markdown-it)

v12.3.2

Compare Source

Security

v12.3.1

Compare Source

Fixed
  • Fix corner case when tab prevents paragraph continuation in lists, #​830.

v12.3.0

Compare Source

Changed
  • StateInline.delimiters[].jump is removed.
Fixed
  • Fixed quadratic complexity in pathological ***<10k stars>***a***<10k stars>*** case.

v12.2.0

Compare Source

Added
  • Ordered lists: add order value to token info.
Fixed
  • Always suffix indented code block with a newline, #​799.

v12.1.0

Compare Source

Changed
  • Updated CM spec compatibility to 0.30.

v12.0.6

Compare Source

Fixed
  • Newline in alt should be rendered, #​775.

v12.0.5

Compare Source

Fixed
  • HTML block tags with === inside are no longer incorrectly interpreted as headers, #​772.
  • Fix table/list parsing ambiguity, #​767.

v12.0.4

Compare Source

Fixed
  • Fix crash introduced in 12.0.3 when processing strikethrough (~~) and similar plugins, #​742.
  • Avoid fenced token mutation, #​745.

v12.0.3

Compare Source

Fixed
  • [](<foo<bar>) is no longer a valid link.
  • [](url (xxx()) is no longer a valid link.
  • [](url\ xxx) is no longer a valid link.
  • Fix performance issues when parsing links (#​732, #​734), backticks, (#​733, #​736),
    emphases (#​735), and autolinks (#​737).
  • Allow newline in <? ... ?> in an inline context.
  • Allow <meta> html tag to appear in an inline context.

v12.0.2

Compare Source

Fixed
  • Three pipes (|\n|\n|) are no longer rendered as a table with no columns, #​724.

v12.0.1

Compare Source

Fixed
  • Fix tables inside lists indented with tabs, #​721.

v12.0.0

Compare Source

Added
  • .gitattributes, force unix eol under windows, for development.
Changed
  • Added 3rd argument to highlight(code, lang, attrs), #​626.
  • Rewrite tables according to latest GFM spec, #​697.
  • Use rollup.js to browserify sources.
  • Drop bower.json (bower reached EOL).
  • Deps bump.
  • Tune specsplit.js options.
  • Drop Makefile in favour of npm scrips.
Fixed
  • Fix mappings for table rows (amended fix made in 11.0.1), #​705.
  • %25 is no longer decoded in beautified urls, #​720.

v11.0.1

Compare Source

Fixed
  • Fix blockquote lazy newlines, #​696.
  • Fix missed mappings for table rows, #​705.

v11.0.0

Compare Source

Changed
  • Bumped linkify-it to 3.0.0, #​661 + allow unlimited . inside links.
  • Dev deps bump.
  • Switch to nyc for coverage reports.
  • Partially moved tasks from Makefile to npm scripts.
  • Automate web update on npm publish.
Fixed
  • Fix em- and en-dashes not being typographed when separated by 1 char, #​624.
  • Allow opening quote after another punctuation char in typographer, #​641.
  • Assorted wording & typo fixes.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label May 30, 2023
Copy link
Contributor Author

renovate bot commented May 21, 2024

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 12.x releases. But if you manually upgrade to 12.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@renovate renovate bot deleted the renovate/npm-markdown-it-vulnerability branch May 21, 2024 14:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant