This repository has been archived by the owner on May 10, 2021. It is now read-only.

chore(deps): update dependency highlight.js to v9.18.2 [security] - autoclosed #4

Closed

renovate wants to merge 1 commit into master from renovate/npm-highlight.js-vulnerability

Contributor

renovate bot commented Nov 28, 2020

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
highlight.js (source)	`9.11.0` -> `9.18.2`

GitHub Vulnerability Alerts

CVE-2020-26237

Impact

Affected versions of this package are vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object's prototype during highlighting. If you allow users to insert custom HTML code blocks into your page/app via parsing Markdown code blocks (or similar) and do not filter the language names the user can provide you may be vulnerable.

The pollution should just be harmless data but this can cause problems for applications not expecting these properties to exist and can result in strange behavior or application crashes, i.e. a potential DOS vector.

If your website or application does not render user provided data it should be unaffected.

Patches

Versions 9.18.2 and 10.1.2 and newer include fixes for this vulnerability. If you are using version 7 or 8 you are encouraged to upgrade to a newer release.

Workarounds

Patch your library

Manually patch your library to create null objects for both languages and aliases:

const HLJS = function(hljs) {
  // ...
  var languages = Object.create(null);
  var aliases = Object.create(null);

Filter out bad data from end users

Filter the language names that users are allowed to inject into your HTML to guarantee they are valid.

References

For more information

If you have any questions or comments about this advisory:

Please file an issue against highlight.js

Release Notes

highlightjs/highlight.js

`v9.18.1`

Grammar Improvements:

bug(coffeescript) fix freezing bug due to badly behaved regex (#2376) Josh Goebel

`v9.18.0`

New languages:

none.

New themes:

none.

Core Changes:

none.

Language Improvements:

(javascript) fix JSX self-closing tag issues (#2322) Josh Goebel
(fortran) added block and endblock keywords (#2343) Philipp Engel
(javascript) support jsx fragments (#2333) Josh Goebel
(ini) support TOML arrays, clean up grammar (#2335) Josh Goebel
(vbnet) add nameof operator to the keywords (#2329) Youssef Victor
(stan) updated with improved coverage of language keywords and patterns. (#1829) Jeffrey Arnold
enh(cpp) Detect namespaced function types (A::typeName func(...)) (#2332) Josh Goebel
enh(cpp) Detect namespaced functions also (A::functionName) (#2332) Josh Goebel
enh(cpp) Properly detect decltype(auto) (#2332) Josh Goebel
enh(cpp) recognize primitive types (int8_t, etc.) as function types (#2332) Josh Goebel

Developer Tools:

feat(developer): add button to show parsed structure (#2345) Nils Knappmeier

`v9.17.1`

Fixes:

fix(parser): resolve IE 11 issue with Object.freeze() (#2319) Josh Goebel

`v9.17.0`

New languages:

none.

New themes:

Gradient Dark by Samia Ali

Core Improvements:

chore(parser): switch from createElementNS to createElement (#2314) Josh Goebel
enh(parser): add better error when a language requirement is missing (#2311) Josh Goebel
fix(parser/docs): disallow self mode at the top-level of a language (#2294) Josh Goebel
enh(parser) add safe & debug modes. Better error handling for crash conditions. (#2286) Josh Goebel
fix(parser): Fix merger HTML attribute quoting (#2235) Josh Goebel
fix(parser): Look-ahead regex now work for end matches also (#2237) Josh Goebel
fix(parser): Better errors when a language is missing (#2236) Josh Goebel
fix(parser): freeze built-in modes to prevent grammars altering them (#2271) Josh Goebel
fix(themes): fix inconsistencies between some themes padding/spacing (#2300) Josh Goebel
ehh(build) Add CI check for building a "use strict" safe rollup package from NPM builds (#2247) Josh Goebel
fix(pkg): Prefix global addEventListener with window to be able to minify with closure compiler (#2305) Kirill Saksin

Language Improvements:

fix(sql): backslash is not used to escape in strings in standard SQL (#1748) Mike Schall
enh(ebnf) add backticks as additional string variant (#2290) Chris Marchesi
chore(javascript): add esm related extensions to aliases (#2298) Rongjian Zhang
fix(kotlin): fix termination of """ string literals (#2295) Josh Goebel
fix(mercury): don't change global STRING modes (#2271) Josh Goebel
enh(xml) expand and improve document type highlighting (#2287) w3suli
enh(ebnf) add underscore as allowed meta identifier character, and dot as terminator (#2281) Chris Marchesi
fix(makefile) fix double relevance for assigns, improves auto-detection (#2278) Josh Goebel
enh(xml) support for highlighting entities (#2260) w3suli
enh(gml) fix naming of keyword class (consistency fix) (#2254) Liam Nobel
enh(javascript): Add support for jsdoc comments (#2245) Milutin Kristofic
fix(python) fix if getting confused as an f-string (#2200) Josh Goebel and Carl Baxter
enh(powershell) major overhaul, huge improvements (#2224)
enh(css) Improve @rule highlighting, including properties (#2241) Josh Goebel
enh(css) Improve highlighting of numbers inside expr/func calc(2px+3px) (#2241)
enh(scss) Pull some of the CSS improvements back into SCSS (#2241)
fix(go): Fix escaped character literals (#2266) David Benjamin
fix(objectivec): Fix various preprocessor highlighting issues (#2265) David Benjamin
fix(objectivec): Handle multibyte character literals (#2268) David Benjamin
enh(cpp): Add additional keywords (#2289) Adrian Ostrowski

`v9.16.2`

New languages:
none.

New styles:
none.

Improvements:

fix(arduino) Resolves issue with arduino.js not being "use strict" safe (#2247)

`v9.16.1`

New languages:
none.

New styles:

Night Owl by Carl Baxter

Improvements:

Add CLI tool to quickly check for relevance conflicts Mark Ellis (#1554)
enhance(twig) update list of filter and tags (#2090)
fix(crystal): correctly highlight !~ method definition (#2222)
fix dropping characters if we choke up on a 0-width match (#2219)
(accesslog) improve accesslog relevancy scoring (#2172)
fix(shell): fix parsing of prompts with forward slash (#2218)
improve parser to properly support look-ahead regex in begin matchers (#2135)
blacklist super-common keywords from having relevance (#2179)
fix(swift): support for @dynamicMemberLookup and @propertyWrapper (#2202)
fix: endWithParent inside starts now always works (#2201)
fix(typescript): constructor in declaration doesn't break highlighting
fix(typescript): only match function keyword as a separate identifier (#2191)
feature(arduino) make arduino a super-set of cpp grammar
fix(javascript): fix object attributes immediately following line comments
fix(xml): remove vbscript as potential script tag subLanguage
fix(Elixir): improve regex for numbers
fix(YAML): improve matching for keys, blocks and numbers
fix(Pony): improve regex for numbers
fix(handlebars): add support for raw-blocks, and triple-mustaches(#2175)
fix(handlebars): fix parsing of block-comments containing closing mustaches (#2175)
fix(handlebars): add support for segment-literal notation, and escaped mustaches (#2184)
JSON: support for comments in JSON (#2016)
fix(cpp): improve string literal matching
fix(highlight.js): omit empty span-tags in the output (#2182)
fix(Go): improve function declaration matching
fix(python): added support for f-string literal curly braces (#2195)
fix(cpp): add future built-in (#1610)
fix(python): support comments within function parameters (#2214)

`v9.15.10`

New languages:
none.
New styles:
none.
Improvements:

support for ruby's squiggly heredoc (#2049)
support css custom properties (#2082)
fix(PureBASIC): update to 5.60 (#1508)
fix(Kotlin): parenthesized types in function declaration (#2107)
fix(Kotlin): nested comment (#2104)
fix(isbl): contains key typo (#2103)
fix(github-gist.css): match Github styles (#2100)
fix(elm): update to latest elm syntax (#2088)
fix: Support highlighting inline HTML and CSS tagged template strings in JS and TS (#2105)
feat(YAML): add YAML to common languages (#1952)
feat(xml): Add support for Windows Script File (.wsf), inline VBScript in XML script tags (#1690)

`v9.15.9`

Improvements:

fix(AutoHotkey): order and extended highlighting (#1579)
fix(Go): correctly highlight hex numbers, rather than stopping at last 'd' or 'f'. (#2060)
fix(Mathematica): Improvements to language (#2065)
fix(Node): Adds SCSS build (#2079)
fix(Rust): update keywords (#2052)
fix(Stata): Added keywords for the meta-analysis suite introduced in Stata 16 (#2081)
fix(Bash): escape double quotes (#2048)

`v9.15.8`

New languages:
none.
New styles:
none.
Improvements:

fix(bash): revert escaped double quotes - broke Firefox/Safari.

`v9.15.7`

New languages:
none.
New styles:
none.
Improvements:

fix(powershell): Add cmdlets (#2022)
fix(Bash): escaped double quotes (#2041)
fix(c++): add aliases 'hh', 'hxx', 'cxx' (#2017)
fix(ini/toml): Support comments on the same line. (#2039)
fix(JSX): not rendering well in a function without parentheses. (#2024)
fix(LiveCode): language definition update (#2021)
fix(markdown): indented lists (#2004)
fix(styles/school-book): don't style all the pre, use .hljs instead (#2034)
fix(JSX): Modify JSX tag detection to use XML language regex in place of simplistic \w+

`v9.15.6`

New languages:
none.
New styles:
none.
Improvements:

Move dependencies to be devDependencies.
Fixed security issues in dev dependencies.

`v9.15.5`

New languages:
none.
New styles:
none.
Improvements:
🔥 Hot fix: updated build tool.

`v9.15.2`

New languages:
none.
New styles:
none.
Improvements:
🔥 Hot fix that was preventing highlight.js from installing.

`v9.15.1`

New languages:
none.
New styles:
none.
Improvements:

support for ruby's squiggly heredoc (#2049)
support css custom properties (#2082)
fix(PureBASIC): update to 5.60 (#1508)
fix(Kotlin): parenthesized types in function declaration (#2107)
fix(Kotlin): nested comment (#2104)
fix(isbl): contains key typo (#2103)
fix(github-gist.css): match Github styles (#2100)
fix(elm): update to latest elm syntax (#2088)
fix: Support highlighting inline HTML and CSS tagged template strings in JS and TS (#2105)
feat(YAML): add YAML to common languages (#1952)
feat(xml): Add support for Windows Script File (.wsf), inline VBScript in XML script tags (#1690)

`v9.14.2`

New languages:
none.
New styles:
none.
Improvements:

Gauss fixed to stop global namespace pollution Scott Hyndman.
fix(Tcl): removed apostrophe string delimiters (don't exist)

`v9.14.1`

New languages:
none.
New styles:
none.
Improvements:

Pony: language improvements (#1958)

`v9.13.1`

Improvements:

C# function declarations no longer include trailing whitespace, by JeremyTCD
Added new and missing keywords to AngelScript, by Melissa Geels
TypeScript decorator factories highlighting fix, by Antoine Boisier-Michaud
Added support for multiline strings to Swift, by Alejandro Isaza
Fixed issue that was causing some minifiers to fail.
Fixed autoDetection to accept language aliases.

`v9.13.0`

New languages:

ArcGIS Arcade by John Foster
AngelScript by Melissa Geels
GML by meseta
isbl built-in language DIRECTUM and Conterra by Dmitriy Tarasov.
PostgreSQL SQL dialect and PL/pgSQL language by Egor Rogov.
ReasonML by Gidi Meir Morris
SAS by Mauricio Caceres Bravo
Plaintext by Egor Rogov
.properties by bostko and Egor Rogov

New styles:

a11y-dark theme by Eric Bailey
a11y-light theme by Eric Bailey
An Old Hope by Gustavo Costa
Atom One Dark Reasonable by Gidi Meir Morris
isbl editor dark by Dmitriy Tarasov
isbl editor light by Dmitriy Tarasov
Lightfair by Tristian Kelly
Nord by Arctic Ice Studio
🦄 Shades of Purple by Ahmad Awais

Improvements:

New attribute endSameAsBegin for nested constructs with variable names
by Egor Rogov.
Python highlighting of escaped quotes fixed by Harmon
PHP: Added alias for php7, by Vijaya Chandran Mani
C++ string handling, by David Benjamin
Swift Add @objcMembers to @attributes, by Berk Çebi
Infrastructural changes by Marcos Cáceres
Fixed metachars highighting for NSIS by Jan T. Sott
Yaml highlight local tags as types by Léo Lam
Improved highlighting for Elixir by Piotr Kaminski
New attribute disableAutodetect for preventing autodetection by Egor Rogov
Matlab: transpose operators and double quote strings, by JohnC32 and Egor Rogov
Various documentation typos and improvemets by Jimmy Wärting, Lutz Büch, bcleland
Cmake updated with new keywords and commands by Deniz Bahadir

`v9.12.0`

New language:

MikroTik RouterOS Scripting language by Ivan Dementev.

New style:

VisualStudio 2015 Dark by Nicolas LLOBERA

Improvements:

Crystal updated with new keywords and syntaxes by Tsuyusato Kitsune.
Julia updated to the modern definitions by Alex Arslan.
julia-repl added by Morten Piibeleht.
Stanislav Belov wrote a new definition for 1C, replacing the one that
has not been updated for more than 8 years. The new version supports syntax
for versions 7.7 and 8.
Nicolas LLOBERA improved C# definition fixing edge cases with function
titles detection and added highlighting of [Attributes].
nnnik provided a few correctness fixes for Autohotkey.
Martin Clausen made annotation collections in Clojure to look
consistently with other kinds.
Alejandro Alonso updated Swift keywords.

Renovate configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by WhiteSource Renovate. View repository job log here.


          chore(deps): update dependency highlight.js to v9.18.2 [security]

888c29c

renovate bot changed the title ~~chore(deps): update dependency highlight.js to v9.18.2 [security]~~ chore(deps): update dependency highlight.js to v9.18.2 [security] - autoclosed

renovate bot closed this

renovate bot deleted the renovate/npm-highlight.js-vulnerability branch

December 11, 2020 18:57

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.