Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency markdown-it to v13 [SECURITY] - abandoned #25

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency markdown-it to v13 [SECURITY] - abandoned #25

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Mar 7, 2022
edited

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
markdown-it ^8.3.0 -> ^13.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-21670

Impact

Special patterns with length > 50K chars can slow down parser significantly.

const md = require('markdown-it')();

md.render(`x ${' '.repeat(150000)} x  \nx`);

Patches

Upgrade to v12.3.2+

Workarounds

No.

References

Fix + test sample: markdown-it/markdown-it@ffc49ab

Release Notes

markdown-it/markdown-it

v13.0.1

Compare Source

Fixed
  • Bumped linkify-it to 4.0.1. That should fix some hangs, caused by wrong
    data, returned from linkify-it.

v13.0.0

Compare Source

Added
  • Added a new token type text_special to store escaped characters, same as text but
    unaffected by replacement plugins (smartquotes, typographer, linkifier, etc.).
  • Added a new rule text_join in core ruler. Text replacement plugins may choose to
    insert themselves before it.
Changed
  • (p) is no longer replaced with § by typographer (conflicts with ℗), #​763.
  • text_collapse rule is renamed to fragments_join.
Fixed
  • Smartquotes, typographic replacements and plain text links can now be escaped
    with backslash (e.g. \(c) or google\.com are no longer replaced).
  • Fixed collision of emphasis and linkifier (so http://example.org/foo._bar_-_baz
    is now a single link, not emphasized). Emails and fuzzy links are not affected by this.

v12.3.2

Compare Source

Security

v12.3.1

Compare Source

Fixed
  • Fix corner case when tab prevents paragraph continuation in lists, #​830.

v12.3.0

Compare Source

Changed
  • StateInline.delimiters[].jump is removed.
Fixed
  • Fixed quadratic complexity in pathological ***<10k stars>***a***<10k stars>*** case.

v12.2.0

Compare Source

Added
  • Ordered lists: add order value to token info.
Fixed
  • Always suffix indented code block with a newline, #​799.

v12.1.0

Compare Source

Changed
  • Updated CM spec compatibility to 0.30.

v12.0.6

Compare Source

Fixed
  • Newline in alt should be rendered, #​775.

v12.0.5

Compare Source

Fixed
  • HTML block tags with === inside are no longer incorrectly interpreted as headers, #​772.
  • Fix table/list parsing ambiguity, #​767.

v12.0.4

Compare Source

Fixed
  • Fix crash introduced in 12.0.3 when processing strikethrough (~~) and similar plugins, #​742.
  • Avoid fenced token mutation, #​745.

v12.0.3

Compare Source

Fixed
  • [](<foo<bar>) is no longer a valid link.
  • [](url (xxx()) is no longer a valid link.
  • [](url\ xxx) is no longer a valid link.
  • Fix performance issues when parsing links (#​732, #​734), backticks, (#​733, #​736),
    emphases (#​735), and autolinks (#​737).
  • Allow newline in <? ... ?> in an inline context.
  • Allow <meta> html tag to appear in an inline context.

v12.0.2

Compare Source

Fixed
  • Three pipes (|\n|\n|) are no longer rendered as a table with no columns, #​724.

v12.0.1

Compare Source

Fixed
  • Fix tables inside lists indented with tabs, #​721.

v12.0.0

Compare Source

Added
  • .gitattributes, force unix eol under windows, for development.
Changed
  • Added 3rd argument to highlight(code, lang, attrs), #​626.
  • Rewrite tables according to latest GFM spec, #​697.
  • Use rollup.js to browserify sources.
  • Drop bower.json (bower reached EOL).
  • Deps bump.
  • Tune specsplit.js options.
  • Drop Makefile in favour of npm scrips.
Fixed
  • Fix mappings for table rows (amended fix made in 11.0.1), #​705.
  • %25 is no longer decoded in beautified urls, #​720.

v11.0.1

Compare Source

Fixed
  • Fix blockquote lazy newlines, #​696.
  • Fix missed mappings for table rows, #​705.

v11.0.0

Compare Source

Changed
  • Bumped linkify-it to 3.0.0, #​661 + allow unlimited . inside links.
  • Dev deps bump.
  • Switch to nyc for coverage reports.
  • Partially moved tasks from Makefile to npm scripts.
  • Automate web update on npm publish.
Fixed
  • Fix em- and en-dashes not being typographed when separated by 1 char, #​624.
  • Allow opening quote after another punctuation char in typographer, #​641.
  • Assorted wording & typo fixes.

v10.0.0

Compare Source

Security
  • Fix quadratic parse time for some combinations of pairs, #​583. Algorithm is
    now similar to one in reference implementation.
Changed
  • Minor internal structs change, to make pairs parse more effective (cost is
    linear now). If you use external "pairs" extensions, you need sync those with
    "official ones". Without update, old code will work, but can cause invalid
    result in rare case. This is the only reason of major version bump. With high probability you don't need to change your code, only update version dependency.
  • Updated changelog format.
  • Deps bump.

v9.1.0

Compare Source

Changed
  • Remove extra characters from line break check. Leave only 0x0A & 0x0D, as in
    CommonMark spec, #​581.

v9.0.1

Compare Source

Fixed
  • Fix possible corruption of open/close tag levels, #​466

v9.0.0

Compare Source

Changed
  • Updated CM spec compatibility to 0.29.
  • Update Travis-CI node version to actual (8 & latest).
  • Deps bump.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot changed the title Update dependency markdown-it to v12 [SECURITY] Update dependency markdown-it to v13 [SECURITY] Apr 25, 2022
@renovate renovate bot force-pushed the renovate/npm-markdown-it-vulnerability branch from ea35829 to 6158fc0 Compare April 25, 2022 02:23
@renovate
Copy link
Author

renovate bot commented Mar 25, 2023
edited

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@renovate renovate bot changed the title Update dependency markdown-it to v13 [SECURITY] Update dependency markdown-it to v13 [SECURITY] - abandoned Feb 24, 2024
@renovate Renovate
Copy link
Author

renovate bot commented Feb 24, 2024

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@renovate-bot