ant-design-vue
ant-design-vue copied to clipboard
vueComponent
chore(deps): update dependency markdown-it to v12 [security]
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| markdown-it | ^8.4.2 -> ^12.0.0 |
GitHub Vulnerability Alerts
CVE-2022-21670
Impact
Special patterns with length > 50K chars can slow down parser significantly.
const md = require('markdown-it')();
md.render(`x ${' '.repeat(150000)} x \nx`);
Patches
Upgrade to v12.3.2+
Workarounds
No.
References
Fix + test sample: https://github.com/markdown-it/markdown-it/commit/ffc49ab46b5b751cd2be0aabb146f2ef84986101
Release Notes
markdown-it/markdown-it
v12.3.2
Security
- Fix possible ReDOS in newline rule. Thanks to @βMakeNowJust.
v12.3.1
Fixed
- Fix corner case when tab prevents paragraph continuation in lists, #β830.
v12.3.0
Changed
StateInline.delimiters[].jumpis removed.
Fixed
- Fixed quadratic complexity in pathological
***<10k stars>***a***<10k stars>***case.
v12.2.0
Added
- Ordered lists: add order value to token info.
Fixed
- Always suffix indented code block with a newline, #β799.
v12.1.0
Changed
- Updated CM spec compatibility to 0.30.
v12.0.6
Fixed
- Newline in
altshould be rendered, #β775.
v12.0.5
Fixed
- HTML block tags with
===inside are no longer incorrectly interpreted as headers, #β772. - Fix table/list parsing ambiguity, #β767.
v12.0.4
Fixed
- Fix crash introduced in
12.0.3when processing strikethrough (~~) and similar plugins, #β742. - Avoid fenced token mutation, #β745.
v12.0.3
Fixed
[](<foo<bar>)is no longer a valid link.[](url (xxx())is no longer a valid link.[](url\ xxx)is no longer a valid link.- Fix performance issues when parsing links (#β732, #β734), backticks, (#β733, #β736), emphases (#β735), and autolinks (#β737).
- Allow newline in
<? ... ?>in an inline context. - Allow
<meta>html tag to appear in an inline context.
v12.0.2
Fixed
- Three pipes (
|\n|\n|) are no longer rendered as a table with no columns, #β724.
v12.0.1
Fixed
- Fix tables inside lists indented with tabs, #β721.
v12.0.0
Added
.gitattributes, force unix eol under windows, for development.
Changed
- Added 3rd argument to
highlight(code, lang, attrs), #β626. - Rewrite tables according to latest GFM spec, #β697.
- Use
rollup.jsto browserify sources. - Drop
bower.json(bower reached EOL). - Deps bump.
- Tune
specsplit.jsoptions. - Drop
Makefilein favour of npm scrips.
Fixed
- Fix mappings for table rows (amended fix made in 11.0.1), #β705.
%25is no longer decoded in beautified urls, #β720.
v11.0.1
Fixed
v11.0.0
Changed
- Bumped
linkify-itto 3.0.0, #β661 + allow unlimited.inside links. - Dev deps bump.
- Switch to
nycfor coverage reports. - Partially moved tasks from Makefile to npm scripts.
- Automate web update on npm publish.
Fixed
- Fix em- and en-dashes not being typographed when separated by 1 char, #β624.
- Allow opening quote after another punctuation char in typographer, #β641.
- Assorted wording & typo fixes.
v10.0.0
Security
- Fix quadratic parse time for some combinations of pairs, #β583. Algorithm is now similar to one in reference implementation.
Changed
- Minor internal structs change, to make pairs parse more effective (cost is linear now). If you use external "pairs" extensions, you need sync those with "official ones". Without update, old code will work, but can cause invalid result in rare case. This is the only reason of major version bump. With high probability you don't need to change your code, only update version dependency.
- Updated changelog format.
- Deps bump.
v9.1.0
Changed
- Remove extra characters from line break check. Leave only 0x0A & 0x0D, as in CommonMark spec, #β581.
v9.0.1
Fixed
- Fix possible corruption of open/close tag levels, #β466
v9.0.0
Changed
- Updated CM spec compatibility to 0.29.
- Update Travis-CI node version to actual (8 & latest).
- Deps bump.
Configuration
π Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, click this checkbox.
This PR has been generated by Mend Renovate. View repository job log here.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
Codecov Report
Merging #5152 (ba2d08f) into next (ec17787) will not change coverage. The diff coverage is
n/a.
:exclamation: Current head ba2d08f differs from pull request most recent head 9a61bd3. Consider uploading reports for the commit 9a61bd3 to get more accurate results
@@ Coverage Diff @@
## next #5152 +/- ##
=======================================
Coverage 16.66% 16.66%
=======================================
Files 5 5
Lines 156 156
Branches 32 32
=======================================
Hits 26 26
Misses 124 124
Partials 6 6
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
Renovate Ignore Notification
As this PR has been closed unmerged, Renovate will ignore this upgrade and you will not receive PRs for any future 12.x releases. However, if you upgrade to 12.x manually then Renovate will reenable minor and patch updates automatically.
If this PR was closed by mistake or you changed your mind, you can simply rename this PR and you will soon get a fresh replacement PR opened.
This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}