Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency markdown-it to v12 [security] #100

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): update dependency markdown-it to v12 [security] #100

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 7, 2022
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
markdown-it 8.4.2 -> 12.3.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-21670

Impact

Special patterns with length > 50K chars can slow down parser significantly.

const md = require('markdown-it')();

md.render(`x ${' '.repeat(150000)} x  \nx`);

Patches

Upgrade to v12.3.2+

Workarounds

No.

References

Fix + test sample: markdown-it/markdown-it@ffc49ab

Release Notes

markdown-it/markdown-it

v12.3.2

Compare Source

Security

v12.3.1

Compare Source

Fixed
  • Fix corner case when tab prevents paragraph continuation in lists, #​830.

v12.3.0

Compare Source

Changed
  • StateInline.delimiters[].jump is removed.
Fixed
  • Fixed quadratic complexity in pathological ***<10k stars>***a***<10k stars>*** case.

v12.2.0

Compare Source

Added
  • Ordered lists: add order value to token info.
Fixed
  • Always suffix indented code block with a newline, #​799.

v12.1.0

Compare Source

Changed
  • Updated CM spec compatibility to 0.30.

v12.0.6

Compare Source

Fixed
  • Newline in alt should be rendered, #​775.

v12.0.5

Compare Source

Fixed
  • HTML block tags with === inside are no longer incorrectly interpreted as headers, #​772.
  • Fix table/list parsing ambiguity, #​767.

v12.0.4

Compare Source

Fixed
  • Fix crash introduced in 12.0.3 when processing strikethrough (~~) and similar plugins, #​742.
  • Avoid fenced token mutation, #​745.

v12.0.3

Compare Source

Fixed
  • [](<foo<bar>) is no longer a valid link.
  • [](url (xxx()) is no longer a valid link.
  • [](url\ xxx) is no longer a valid link.
  • Fix performance issues when parsing links (#​732, #​734), backticks, (#​733, #​736),
    emphases (#​735), and autolinks (#​737).
  • Allow newline in <? ... ?> in an inline context.
  • Allow <meta> html tag to appear in an inline context.

v12.0.2

Compare Source

Fixed
  • Three pipes (|\n|\n|) are no longer rendered as a table with no columns, #​724.

v12.0.1

Compare Source

Fixed
  • Fix tables inside lists indented with tabs, #​721.

v12.0.0

Compare Source

Added
  • .gitattributes, force unix eol under windows, for development.
Changed
  • Added 3rd argument to highlight(code, lang, attrs), #​626.
  • Rewrite tables according to latest GFM spec, #​697.
  • Use rollup.js to browserify sources.
  • Drop bower.json (bower reached EOL).
  • Deps bump.
  • Tune specsplit.js options.
  • Drop Makefile in favour of npm scrips.
Fixed
  • Fix mappings for table rows (amended fix made in 11.0.1), #​705.
  • %25 is no longer decoded in beautified urls, #​720.

v11.0.1

Compare Source

Fixed
  • Fix blockquote lazy newlines, #​696.
  • Fix missed mappings for table rows, #​705.

v11.0.0

Compare Source

Changed
  • Bumped linkify-it to 3.0.0, #​661 + allow unlimited . inside links.
  • Dev deps bump.
  • Switch to nyc for coverage reports.
  • Partially moved tasks from Makefile to npm scripts.
  • Automate web update on npm publish.
Fixed
  • Fix em- and en-dashes not being typographed when separated by 1 char, #​624.
  • Allow opening quote after another punctuation char in typographer, #​641.
  • Assorted wording & typo fixes.

v10.0.0

Compare Source

Security
  • Fix quadratic parse time for some combinations of pairs, #​583. Algorithm is
    now similar to one in reference implementation.
Changed
  • Minor internal structs change, to make pairs parse more effective (cost is
    linear now). If you use external "pairs" extensions, you need sync those with
    "official ones". Without update, old code will work, but can cause invalid
    result in rare case. This is the only reason of major version bump. With high probability you don't need to change your code, only update version dependency.
  • Updated changelog format.
  • Deps bump.

v9.1.0

Compare Source

Changed
  • Remove extra characters from line break check. Leave only 0x0A & 0x0D, as in
    CommonMark spec, #​581.

v9.0.1

Compare Source

Fixed
  • Fix possible corruption of open/close tag levels, #​466

v9.0.0

Compare Source

Changed
  • Updated CM spec compatibility to 0.29.
  • Update Travis-CI node version to actual (8 & latest).
  • Deps bump.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate
Copy link
Contributor Author

renovate bot commented Mar 24, 2023
edited
Loading

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@renovate-bot