fix(deps): update dependency katex to ^0.16.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
katex (source)	^0.11.1 -> ^0.16.0

GitHub Vulnerability Alerts

CVE-2024-28245

Impact

KaTeX users who render untrusted mathematical expressions could encounter malicious input using \includegraphics that runs arbitrary JavaScript, or generate invalid HTML.

Patches

Upgrade to KaTeX v0.16.10 to remove this vulnerability.

Workarounds

• Avoid use of or turn off the trust option, or set it to forbid \includegraphics commands.
• Forbid inputs containing the substring "\\includegraphics".
• Sanitize HTML output from KaTeX.

Details

\includegraphics did not properly quote its filename argument, allowing it to generate invalid or malicious HTML that runs scripts.

For more information

If you have any questions or comments about this advisory:

• Open an issue or security advisory in the KaTeX repository
• Email us at katex-security@mit.edu

CVE-2024-28246

Impact

Code that uses KaTeX's trust option, specifically that provides a function to block-list certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generate javascript: links in the output, even if the trust function tries to forbid this protocol via trust: (context) => context.protocol !== 'javascript'.

Patches

Upgrade to KaTeX v0.16.10 to remove this vulnerability.

Workarounds

• Allow-list instead of block protocols in your trust function.
• Manually lowercase context.protocol via context.protocol.toLowerCase() before attempting to check for certain protocols.
• Avoid use of or turn off the trust option.

Details

KaTeX did not normalize the protocol entry of the context object provided to a user-specified trust-function, so it could be a mix of lowercase and/or uppercase letters.

It is generally better to allow-list by protocol, in which case this would normally not be an issue. But in some cases, you might want to block-list, and the KaTeX documentation even provides such an example:

Allow all commands but forbid specific protocol: trust: (context) => context.protocol !== 'file'

Currently KaTeX internally sees file: and File: URLs as different protocols, so context.protocol can be file or File, so the above check does not suffice. A simple workaround would be:

trust: (context) => context.protocol.toLowerCase() !== 'file'

Most URL parsers normalize the scheme to lowercase. For example, RFC3986 says:

Although schemes are case-insensitive, the canonical form is lowercase and documents that specify schemes must do so with lowercase letters. An implementation should accept uppercase letters as equivalent to lowercase in scheme names (e.g., allow "HTTP" as well as "http") for the sake of robustness but should only produce lowercase scheme names for consistency.

CVE-2024-28243

Impact

KaTeX users who render untrusted mathematical expressions could encounter malicious input using \edef that causes a near-infinite loop, despite setting maxExpand to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX input will be unable to use the site due to memory overflow, tying up the main thread, or stack overflow.

Patches

Upgrade to KaTeX v0.16.10 to remove this vulnerability.

Workarounds

Forbid inputs containing the substring "\\edef" before passing them to KaTeX.
(There is no easy workaround for the auto-render extension.)

Details

KaTeX supports an option named maxExpand which prevents infinitely recursive macros from consuming all available memory and/or triggering a stack overflow error. However, what counted as an "expansion" is a single macro expanding to any number of tokens. The expand-and-define TeX command \edef can be used to build up an exponential number of tokens using only a linear number of expansions according to this definition, e.g. by repeatedly doubling the previous definition. This has been corrected in KaTeX v0.16.10, where every expanded token in an \edef counts as an expansion.

For more information

If you have any questions or comments about this advisory:

• Open an issue or security advisory in the KaTeX repository
• Email us at katex-security@mit.edu

---

Release Notes

KaTeX/KaTeX (katex)

v0.16.10

Compare Source

Bug Fixes

• \edef bypassing maxExpand via exponential blowup (e88b4c3)
• escape \includegraphics src and alt (c5897fc)
• force protocol to be lowercase for better protocol filtering (fc5af64), closes /datatracker.ietf.org/doc/html/rfc3986#section-3
• maxExpand limit with Unicode sub/superscripts (085e21b)

v0.16.9

Compare Source

Features

• Support bold Fraktur (#​3777) (240d5ae)

v0.16.8

Compare Source

Features

• expose error length and raw error message on ParseError (#​3820) (710774a)

v0.16.7

Compare Source

Bug Fixes

• docs/support_table.md: delete redundant "varPsi" (#​3814) (33a1b98)

v0.16.6

Compare Source

Bug Fixes

• Support \let via macros option (#​3738) (bdb0be2), closes #​3737 #​3737

v0.16.5

Compare Source

Features

• __defineFunction API exposing internal defineFunction (#​3805) (c7b1f84), closes #​3756

v0.16.4

Compare Source

Bug Fixes

• space should prevent optional argument to \ (#​3746) (a0deb34), closes #​3745

v0.16.3

Compare Source

Bug Fixes

• \hline after \cr (#​3735) (ebf6bf5), closes #​3734

v0.16.2

Compare Source

Bug Fixes

• auto-render: concatenate content of successive text nodes (#​3422) (4d3fdd8)
• Implement \pmb via CSS text-shadow (#​3505) (176552a)

v0.16.1

Compare Source

Bug Fixes

• Use SVGs for some stacked delims (#​3686) (8a65a2e)

v0.16.0

Compare Source

Bug Fixes

• copy-tex: Use JS (instead of CSS) to select full equation, solving display glitches (#​3586) (8c2d852)

BREAKING CHANGES

• copy-tex: copy-tex extension no longer has (or requires) a CSS file.

0.15.6 (2022-05-20)

Features

• Support \Braket, \set, and \Set (#​3214) (9e3ae4d)

0.15.5 (2022-05-20)

Bug Fixes

• Avoid crash when \ce{} is empty (#​3627) (4865e45)

0.15.4 (2022-05-20)

Features

• Support Unicode (sub|super)script characters (#​3633) (d8fc35e)

0.15.3 (2022-03-13)

Bug Fixes

• Apply operator spacing to Unicode ∙ ∘ ∖ (#​3584) (b362fc0)

0.15.2 (2022-01-12)

Bug Fixes

• \mathinner MathML when invoked as a denominator. (#​3501) (1f85125), closes #​3500

0.15.1 (2021-10-31)

Features

• \nonumber/\notag support, \tag per row of {align} (#​2952) (52c4778), closes #​2950 #​2379

v0.15.6

Compare Source

Features

• Support \Braket, \set, and \Set (#​3214) (9e3ae4d)

v0.15.5

Compare Source

Bug Fixes

• Avoid crash when \ce{} is empty (#​3627) (4865e45)

v0.15.4

Compare Source

Features

• Support Unicode (sub|super)script characters (#​3633) (d8fc35e)

v0.15.3

Compare Source

Bug Fixes

• Apply operator spacing to Unicode ∙ ∘ ∖ (#​3584) (b362fc0)

v0.15.2

Compare Source

Bug Fixes

• \mathinner MathML when invoked as a denominator. (#​3501) (1f85125), closes #​3500

v0.15.1

Compare Source

Features

• \nonumber/\notag support, \tag per row of {align} (#​2952) (52c4778), closes #​2950 #​2379

v0.15.0

Compare Source

Features

• implement \relax as no-op function (#​3384) (40109f6)

BREAKING CHANGES

• \relax is now implemented as a function. It'll stop
  expansions and parsing, so the behavior around \relax may change.
  For example, \kern2\relax em will no longer work.

0.14.1 (2021-10-30)

Bug Fixes

• Settings: use schema (#​3375) (b58a432)

v0.14.1

Compare Source

Bug Fixes

• Settings: use schema (#​3375) (b58a432)

v0.14.0

Compare Source

Features

• conditionally export ECMAScript modules (#​3377) (15ee9b4)

BREAKING CHANGES

• With module loaders that support conditional exports
  and ECMAScript modules, import katex from 'katex'; will import the
  ECMAScript module.

You can now use:

Before	After
require('katex/dist/contrib/[name].js')	require('katex/contrib/[name]')
import katex from 'katex/dist/katex.mjs'	import katex from 'katex'
import 'katex/dist/contrib/[name].mjs'	import 'katex/contrib/[name]'

0.13.24 (2021-10-30)

Bug Fixes

• round dimensions to 4 places (#​2460) (09ee1c8)

0.13.23 (2021-10-30)

Bug Fixes

• fonts: correct width of \cong glyph, fix \boldsymbol{\cong} (#​3206) (35db4ff), closes #​2199

0.13.22 (2021-10-30)

Bug Fixes

• deps: update dependency commander to v8 [skip netlify] (#​3374) (4df1922)

0.13.21 (2021-10-29)

Bug Fixes

• fonts: fix the timestamp of fonts to the epoch (#​3370) (dde05db)

0.13.20 (2021-10-26)

Performance Improvements

• Avoid vertical-align:0em style (#​3358) (6d6d627), closes #​3351

0.13.19 (2021-10-26)

Features

• cli: --trust flag for trusting cli input (#​3339) (503f7d7), closes #​2428

0.13.18 (2021-09-02)

Features

• unicode support for minus and asterisk operators (#​3227) (9dbfc1c), closes #​3225

0.13.17 (2021-09-01)

Bug Fixes

• fonts: remove hints from unknown symbols (#​3222) (9420f8a), closes #​3219

0.13.16 (2021-08-28)

Bug Fixes

• \char support for >16-bit Unicode characters (#​3006) (ff1734f), closes #​3004
• remove local macros upon parse error (#​3114) (a6f29e3), closes #​3122

0.13.15 (2021-08-28)

Features

• text-mode cedilla accent via \c (#​3036) (952fb84), closes #​638

0.13.14 (2021-08-28)

Bug Fixes

• fonts: update fonts dependencies (#​2866) (ea409ea)

0.13.13 (2021-07-21)

Bug Fixes

• add namespace for svg, making output XHTML+SVG+MathML compatible (#​2725) (35ff5ac)

0.13.12 (2021-07-21)

Bug Fixes

• Correct invalid box-sizing property, adjusting spacing of \angl (#​3053) (910e523), closes #​3052

0.13.11 (2021-05-14)

Bug Fixes

• matrix environment with zero or inconsistent columns (#​3018) (f779bac), closes #​3017

Features

• Allow text-mode accents in math mode, except in strict mode (#​3009) (0e9acce), closes #​2983

0.13.10 (2021-05-12)

Bug Fixes

• Correct for negative margin in integrand lower limits (#​2987) (9b4acc9)

0.13.9 (2021-05-07)

Bug Fixes

• MathML for stretchy accents. #​2990 (#​2991) (1cb6279)

0.13.8 (2021-05-06)

Features

• \operatornamewithlimits (and clean up \operatorname support) (#​2984) (e9b751b)

0.13.7 (2021-05-06)

Bug Fixes

• binom delimiter size in scriptscriptstyle. (#​2976) (980b004)

0.13.6 (2021-05-06)

Bug Fixes

• Correctly parse \ followed by whitespace (#​2877) (c85250d), closes #​2860

0.13.5 (2021-05-02)

Bug Fixes

• Support \S and \P in math mode (#​2977) (3f7163d)

0.13.4 (2021-05-02)

Bug Fixes

• Avoid crash when \operatorname has \limits (#​2979) (fbda0b1)

0.13.3 (2021-04-24)

Bug Fixes

• Respect catcode in macro expansion and set ~'s catcode correctly (#​2949) (01ae7f8), closes #​2924
• array: Keep single empty row in AMS environments (#​2947) (24332e0), closes #​2944

0.13.2 (2021-04-06)

Bug Fixes

• update version and SRI in dist/README.md (#​2905) (319c52d)

0.13.1 (2021-04-05)

Bug Fixes

• Protect fraction bars from CSS border-color (#​2870) (2f62c0d)

[v0.13.0]

See https://github.com/KaTeX/KaTeX/issues/2490 for breaking changes and migration guide!

Bug Fixes

• fix: Remove topEnv parameter. (#​2712)
• fix(builder): combine characters together in all expressions (#​2080)
• fix: Prevent global group from adversely affecting color. (#​2703)
• fix: Use SVGs to avoid gaps in tall delimiters. (#​2698)
• fix: rewrite of splitAtDelimiters.js -- new fix for #​2523 (#​2679)
• fix: Improve MathML for math operators with subscripts (#​2596)
• fix: Remove premature CD screenshotter images (#​2641)
• fix: Support Armenian characters (#​2618)
• fix: MathML \lim\limits in Safari (#​2556)
• fix: Support MathML \oiint and \oiiint (#​2461)
• fix: \injlim typo (#​2459)

Features

• feat: Support \underbar (#​2713)
• feat: Add {CD} to auto-render. (#​2710)
• feat: Set Auto-render to recognize AMS environments without $$…$$ delimiters. (#​2701)
• feat: Support {CD} (#​2396)
• feat: Support \vcenter and \hbox (#​2452)
• feat(function): add allowedInArgument instead of greediness property (#​2134)
• feat: Support matrix*, pmatrix*, bmatrix*, Bmatrix*, vmatrix*, and Vmatrix*. (#​2488)
• feat(macro): improve argument parsing (#​2085)
• feat: support AMS log-like symbols (#​2429)
• feat: support Unicode ◯, U+25EF (#​2430)
• feat: Support \phase (#​2406)
• feat: Support \mathstrut (#​2416)
• feat: support {equation}, {equation*}, and {split} (#​2369)
• feat(css): use postcss-preset-env (#​2313)
• feat: support {align}, {align*}, {alignat}, and {alignat*} (#​2341)
• Support {gather} and {gather*} (#​2183)
• feat: support MathML \big, \bigg, \Big, and \Bigg (#​2332)
• feat: support \angl and \angln (#​2334)
• Support \origof and \imageof (#​2283)

Documentation

• docs: Add TiddlyWiki to list of users (#​2765)
• docs: Fix fallback CSS classes (#​2809)
• docs: Rearrange environment documentation. (#​2700)
• docs: Explain how to make macros persist. (#​2702)
• docs: Revise placement of colonequals in Relations table (#​2704)
• docs: delete stray backtick (#​2680)
• docs: Add colonequals functions to docs (#​2651)
• docs: add new user link (#​2597)
• fix: typo in example on homepage (#​2577)
• docs: Add \char to support_table. (#​2620)
• docs: Update \operatorname in supported_table.md 0.12.0 (#​2571)
• docs: Fix documentation typo in operatorname* (#​2570)
• docs: add warning re:defer to mhchem documentation (#​2485)
• docs: update Gatsby logo and link (#​2481)
• docs: add MonsterWriter to the users page (#​2478)
• docs: add comment re: \arrowvert (#​2449)
• docs: add link to Discussions (#​2405)
• Update \color documentation (#​2370)
• docs: add Marker as a KaTeX user (#​2329)

Other Changes

• ci: run screenshotter in container (#​2644)
• ci: setup CodeQL code scanning (#​2645)
• fix(browserslist): remove Chrome 49, Samsung 4, and Node (#​2591)
• chore: add devcontainer.json (#​2545)
• Configure Renovate (#​2493)
• ci: don't persist credentials and run scripts (#​2450)
• build: upgrade Yarn to 2.2.0 (#​2477)
• build: make vscode work with PnP (#​2444)
• refactor: Delete obsolete comment re: mn elements (#​2472)
• test: lint all js files and inline scripts in workflow (#​2442)
• refactor: Delete obsolete comment re: limsup (#​2464)
• ci: migrate to GitHub Actions from CircleCI, allow running Browserstack on forked repo via label (#​2417)
• ci: enable Dependabot for website, submodules, and GitHub Actions (#​2424)
• test: add missing screenshots for safari (#​2423)
• ci: fix Dependabot autofix (#​2400)
• chore: don't include dist in the release commit (#​2385)
• ci: autofix Dependabot commits (#​2394)
• chore(screenshotter): support Browserstack and test on Safari 13.1 (#​2306)
• chore: enable Gitpod (#​2335)
• chore: migrate to Yarn 2 (#​2316)
• test: mock console implementation (#​2363)
• Update LICENSE year (#​2374)
• test(screenshotter): move coverage to Jest (#​2324)
• Fix test/symgroups.js (#​2314)
• Use base revision provided by CircleCI (#​2309)
• Delete bower.json (#​2372)
• Enable a MathML option in the KaTeX demo. (#​2371)
• Create dependabot.yml (#​2311)
• Run screenshotter using Chrome 83 and Firefox 76 (#​2304)

[v0.12.0]

Added

• globalGroup option to place definitions in global scope (#​2091)
• \cal (#​2116)
• {rcases} and {drcases} (#​2149)
• HTML extension (#​2082)
  • HTML extension can be enabled using strict and trust setting. See https://katex.org/docs/options.html for more details. Please review its security implication before enabling the extension.
• \message, \errmessage, and \show for debugging (#​2135)
• bra-ket notation (#​2162)
• \expandafter, \noexpand, \edef, \let, and \long (#​2122)
• Support MathML display mode (#​2220)
• \minuso (#​2213)

Changed

• Update documentation (#​2086, #​2108, #​2107, #​2106, #​2143, #​2178, #​2195, #​2231, #​2239, #​2263, #​2279, #​2289, #​2280. #​2269, #​2294, #​2296, #​2297)
• mathtex-script: Use html 'defer' attribute (#​2069)
• auto-render: do not touch text nodes w/o formulas (#​2154)
• Move \global and \def to functions (#​2138)
• Cleanup font build scripts & font updates (#​2155, #​2171, #​2156)
  • BREAKING CHANGE: old-style numerals are now available via \mathnormal instead of \mathcal
• Upgrade minimum development Node version to v10 (#​2177)

Removed

• BREAKING CHANGE: IE 9/10 support (#​2136)

Fixed

• Set border-collapse: collapse in vlist, fix misalignment in table (#​2103)
• \@​ifnextchar consumes spaces (#​2118)
• Add spacing on left of fleqn display math (#​2127)
• Fix \boxed inherited color (#​2130)
• Fix laps having visible width in Safari (#​1919)
• Improve MathML for corners (#​1922)
• auto-render: ignore "option" tags (#​2180)
• Fix delimiter error message (#​2186)
• Fix under accent depth (#​2252)
• Enable empty environment (#​2258)
• Enable an empty \substack (#​2278)
• Fix jagged parentheses (#​2234)
• \boldsymbol not italic for textords such as Greek (#​2290, #​2299)
• Protect fraction bars from CSS border-color (#​2292)
• Reset to leftmost spacing mode after newline (#​1841)
• Fix missing metrics for space (0x20) and no-break space (0xa0) (#​2298)

[v0.11.1]

Changed

• [Security] Bump mixin-deep from 1.3.1 to 1.3.2 (#​2090)
• [Security] Bump eslint-utils from 1.3.1 to 1.4.2 (#​2089)

Fixed

• Fix parse timing by separating consume() into fetch() and consume() (#​2054)
• Use current font for accents (#​2066)
• Fix \gray's macro definition (#​2075)

[v0.11.0]

Added

• BREAKING CHANGE: trust setting to indicate whether input text is trusted (#​1794)
  • \href and \url will break without adjusting the trust setting
• Add test for double square brackets to katex-spec (#​1956)
• Add option to render only MathML so that its visible (#​1966)
• Support {smallmatrix}, {subarray}, and \substack (#​1969)
• Enable minRuleThickness in rendering options (#​1964)
• Add \plim (#​1952)
• Support Unicode \digamma (#​2010)
• Support \operatorname* (#​1899)
• Support \includegraphics, with appropriate trust setting (#​2053)
• Add render-a11y-string add-on (#​2062)

Changed

• DOC: Fix path to built file (#​1976)
• Remove unclosed TODO comment (#​1979)
• Add "Tutti Quanti Shelf" app to users page (#​1997)
• Document mhchem \cf not supported (use \ce instead) (#​2008)
• Replace greenkeeper badge with dependabot badge (#​2022)
• Add Unicode digamma to documentation (#​2045)
• Add katex-expression to libs page (#​2049)
• Suggest in documentation (#​2052)
• Unicode characters in math render in text mode (#​2040)

Fixed

• Improve output of fonts in MathML (#​1965)
• Fix \pmb (#​1924)
• \color affects following \right, put array cells in their own groups (#​1845)
• Improve MathML for classes (#​1929)
• Prevent gaps in tall delimiters (#​1986)
• Fix \sqrt SVG path (#​2009)
• Do not force sizing groups to display inline-block (#​2044)
• Fix font choice in operators like \log (e.g. \boldsymbol{\log}) (#​2041)
• Fix argument font sizing in \fbox and \raisebox, fix font sizing in \TeX, \LaTeX, \KaTeX (#​1787)

[v0.10.2]

Added

• Approximate font metrics only when metrics don't exist (#​1898)
• Add KaTeX version to stylesheet and troubleshooting guide (#​1893)
• Add symbol double square brackets (#​1947, #​1954)
• Support double-square curly braces (#​1953)

Changed

• Upgrade minimum development Node version to v8 (#​1861)
• Disable @​babel/env debug (#​1874)
• Add issue templates (#​1862)
• Added 'katex-element' (#​1905)
• Fix Users' logo and url (#​1896)
• Load fonts before running screenshotter (#​1891)
• Add Browserstack logo (#​1879)
• Added Android library (#​1943)
• Move custom colors used by Khan into macros.js (#​1933)
• Test for duplicate symbols/macros (#​1955)
• Include extensions mhchem & copy-tex in home-page (#​1932)

Fixed

• Fix \Rho (#​1870)
• Fix nested \dfrac (#​1825)
• Improve MathML accents (#​1877)
• Improve MathML for \overset, \stackrel, and \underset (#​1886)
• Fix \not (U+E020) RBearing (width) (#​1878)
• Fix ApplyFunction character (#​1890)
• Improve MathML for \limits (#​1897)
• Improve MathML for \hphantom and \vphantom (#​1883)
• Improve MathML for \coloneqq, \dblcolon, \eqcolon, and \eqqcolon (#​1889)
• Improve MathML for \brace (#​1884)
• Fix \middle spacing (#​1906)
• Get a tall \middle\vert from MathML (#​1911)
• Improve more coloneq (#​1902)
• Make \smallint small in \displaystyle (#​1907)
• Improve MathML for characters in Unicode private use area (#​1908)
• Improve MathML for extensible arrows (#​1901)
• Improve MathML for \rule (#​1912)
• Improve MathML for fractions (#​1882)
• Improve MathML for \tag (#​1915)
• Improve MathML for \colorbox and \fcolorbox (#​1914)
• Improve MathML for environments (#​1910)
• Improve MathML for \genfrac barline (#​1925)
• Support \textup and \textmd (#​1921)
• Improve MathML for \not (#​1923)
• Improve MathML for \Bbbk (#​1930)
• Prevent inadvertent tall delims (#​1948)

Removed

• Re-added code for \includegraphics but disabled the function until trust settings is merged (#​1951)

[v0.10.1]

Added

• ECMAScript module for contrib (#​1624)
• mhchem extension (#​1436)
• auto-render: optional pre-process callback (#​1784)
• \argmax and \argmin (#​1820)
• \textbackslash and \textasciicircum (#​1839)
• leqno and fleqn support (#​1814)

Changed

• Include only necessary fonts for target environment specified by Browserslist (#​1674)

Fixed

• Support blackboard bold in text mode (#​1757)
• Fix spacings in semisimple groups (#​1706)
• Fix parsing comments (#​1789)
• Fix \ and \newline after operator (#​1796)
• Fix \hphantom width (#​1809)
• Remove double encoding in MathML (#​1813)
• Fix Unicode bigcup (#​1836)
• Fix \genfrac w/ empty delimiter arguments (#​1816)
• \fbox inherits default color (#​1847)
• Fix \not and \neq on Chrome 72 (#​1852)

[v0.10.0]

Added

• Unicode: °, delimiters, 1D400-1D7FF, \ll, \lll, ≘≙≚≛≝≞≟, Unicode Mathematical Alphanumeric Symbols, ⟂ ¬ ⊨ ‼ ∌ ≲ ⩽ ⪅ ≶ ⋚ ⪋, corner, ⟦⟧ (#​1203, #​1207, #​1260, #​1273, #​1274, #​1232, #​1377, #​1389, #​1459, #​1750)
• \yen support on text mode (#​1208)
• \( (#​1213)
• Add defineSymbol to the main katex object (#​1263)
• Capital Greek letters (#​1283, #​1285)
• Add version to katex object (#​1279, #​1475)
• \copyright, \textregistered, \textcircled (#​1073)
• Tilde \textasciitilde (#​1286)
• Line breaks for inline formulas (#​1287)
• \hline (#​1306)
• Top-level \newline and \\ in inline math (#​1298)
• Strict mode, unicode text in math mode (#​1117, #​1278)
• Strict setting for \newline display-mode behavior (#​1314)
• Allow all Unicode symbols in nonstrict mode (#​1217)
• \tag, \tag*, and \gdef (#​1309)
• \def, \gdef, and \global\def (#​1348, #​1425)
• Change default maxExpand limit to 1000 (#​1383)
• \cfrac (#​1392)
• \arraystretch as a macro definition (#​1381)
• Add ability to create a dashed vertical line in arrays, using ':' (#​1395)
• \widecheck (#​1406)
• \hdashline (#​1407)
• \newcommand, \renewcommand, \providecommand (#​1382)
• Add a utility function (setFontMetrics) to extend builtin fontMetrics (#​1269)
• \oiint and \oiiint (#​1430)
• Remove match-at dependency, use RegExp for lexer (#​1447)
• \brace and \brack (#​1453)
• Allow only allowed protocols in \href (#​1440)
  • BREAKING CHANGE: Only "http", "https", "mailto", and relative URLs are allowed in \href and \url by default.
• \genfrac and \above (#​1455, #​1458)
• \char character escaping and nicer MathML via \html@mathml (#​1454)
• @​binrel (#​1487)
• \pmb (#​1418)
• KaTeX website & documentation (#​1484, #​1515, #​1518, #​1514, #​1526, #​1516, #​1519, #​1527, #​1564, #​1566, #​1584, #​1571, #​1642, #​1680, #​1683, #​1688, #​1631, #​1727)
• Improve supported functions documentation (#​1511, #​1517, #​1532, #​1533, #​1576, #​1556, #​1580, #​1602)
• Alpha sorted function support page (#​1536)
• MediaWiki (texvc) (#​1558)
• Add ignore option for class names in auto-render (#​1555)
• ScrollSpy for table of contents in the documentation (#​1557, #​1567, #​1568)
• Build ECMAScript modules (#​1479, #​1622, #​1653)
• Enable environment variable USE_TTF to disable bundling TTF fonts (#​1600)
• List of KaTeX users (#​1569, #​1579)
• Browserslist (#​1662)
• 6-digit color without # (#​1690)
• \mathnormal (#​1700)
• \lparen and \rparen (#​1741)
• \> (#​1752)

Changed

• Port to @​flow: delimiter, spacingData, unicodeSymbols, buildHTML, buildMathML, parseNode, defineFunction, CssStyle (#​1177, #​1195, #​1206, #​1239, #​1247, #​1276, #​1312, #​1324, #​1361, #​1373, #​1393, #​1386, [#​1387](https://togith

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.