[Snyk] Upgrade commonmark from 0.27.0 to 0.29.2 #62

snyk-bot · 2020-11-07T07:00:25Z

Snyk has created this PR to upgrade commonmark from 0.27.0 to 0.29.2.

✨ Snyk has automatically assigned this pull request, set who gets assigned.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

The recommended version is 5 versions ahead of your current version.
The recommended version was released 2 months ago, on 2020-09-10.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Prototype Pollution SNYK-JS-MINIMIST-559764	387/1000 Why? Proof of Concept exploit, CVSS 5.6	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: commonmark

0.29.2 - 2020-09-10
- Use ES modules (Iddan Aaronsohn).
- Improve and simplify reference link normalization (#168).
  We now use the built in str.toLowerCase().toUpperCase(), which
  @rlidwka has shown does an accurate unicode case fold.
  This allows us to remove a huge lookup table and should
  both decrease the size of the library and speed things up.
- Fix end source position for nested or indented fenrced code blocks.
  Improves on earlier fix to #141, which only worked for code blocks
  flush with the left margin.
- Upgrade to entities 2.0+.
- Fix generation of dist files for dingus.
- Use esm for bin/commonmark, bench, test.
- Use rollup uglify plugin to create minified dist.
- Move dev dependencies to proper place in package.json.
- Use rollup instead of browserify (Iddan Aaronsohn).
- Reformat code with prettier (Iddan Aaronsohn).
- Replace travis CI with GitHub Actions CI.
- Bump versions of software to benchmark against.
- Change jgm/commonmark.js to commonmark/commonmark.js (#126).
- Security audit fixes.
- Remove obsolete spec2js.js script
- Remove test on node 9 and under. Only support actively maintained
  versions.
- Run npm lint in ci.
0.29.1 - 2020-01-09
- Export Renderer (#162, Federico Ramirez). Export the Renderer
  class so consumers can use it as a base class for their own custom
  Renderer's. [API change]
- Fix end source position for fenced code and raw HTML (#141).
- Ensure that \ is treated as punctuation character (#161).
- Remove redundant token from reHtmlBlockOpen (Vas Sudanagunta).
- Remove unused variable reWhitespace.
- Don't decode url before encoding it again (Daniel Berndt).
- Don't allow link destinations with unbalanced unescaped parens (#177).
- Don't put quote delims on stack if not --smart.
- Don't add to delim stack if !can_open && !can_close (#172).
- Remove no longer used argument to escapeXml (#169, Robin Stocker).
- Avoid numerical conversion for file names in argv (#164, Alex Kocharin).
- Adapt existing encoding-based regression test and add %25-based
  regression test (Daniel Berndt).
- Add pathological test for #172 illustrating quadratic time bug.
- Fix pathological case commonmark/cmark#178.
- Add pathological test for cmark#178.
- Dingus: remove debugging console.log.
- Sync .editorconfig indent_size to actual (#178, Vas Sudanagunta).
- Add lint rule for unused variables
- Apply npm audit suggestions.
- Fixed invalid package.json dependency entries (Vas Sudanagunta).
0.29.0 - 2019-04-08
- Update spec to 0.29.
- Fix parsing of setext headers after reference link definitions.
- Fix code span normalization to conform to spec change.
- Allow empty destinations in link refs. See Empty destinations in link references commonmark/commonmark-spec#172.
- Update link destination parsing.
- dingus: add dependency version requirements (#159, Vas Sudanagunta). Dingus was rendering incorrectly with Bootstrap 4. Added a bower.json which requires Bootstrap, jQuery and Lodash with major version equal to what's currently live. Likewise the minimum patch version.
- package.json: Add version for bower in devDependencies.
- package.json - use ^ operator for versions.
- Allow internal delim runs to match if both have lengths that are multiples of 3. See Interior strong+emph not parsed commonmark/commonmark-spec#528.
- Remove now unused 'preserve_entities' option on escapeXml. This was formerly used (incorrectly) in the HTML renderer. It isn't needed any more. [API change]
- html renderer: Don't preserve entities when rendering href, src, title, info string. This gives rise to double-encoding errors, when the original markdown is e.g. &colon;, since the commonmark reader already unescapes entities. Thanks to Sebastiaan Knijnenburg for noticing this.
- More efficient checking for loose lists. This fixes a case like commonmark/cmark#284.
- Disallow unescaped ( in parenthesized link title.
- Add pathological test (commonmark/cmark#285).
- Comment out failing pathological test for now.
- Add pathological tests for #157.
- Fix two exponential regex backtracking vulnerabilities (#157, Anders Kaseorg). ESCAPED_CHAR already matches \\, so matching it again in another alternative was causing exponential complexity explosion. This makes the following behavior changes: [foo\\\] is no longer incorrectly accepted as a link reference. <foo\> is no longer incorrectly accepted as an angle-bracketed link destination.
- package.json: require lodash >= 4.17.11.
- Require cached-path-relative >= 1.0.2. This fixes a security vulnerability, but it's only in the dev dependencies.
- Update fenced block parsing for spec change.
- Require space before title in reference link. See commonmark/cmark#263.
- Update code span normalization for spec change.
- Removed meta from list of block tags. See commonmark/commonmark-spec#527.
- make dist: ensure that comment line is included in dist files (#144). Also change URL to CommonMark/commonmark.js.
- Use local development dependencies (#142, Lynn Kirby). Packages used during development are now listed in devDependencies of package.json. Makefiles are updated to use those local versions. References to manually installing packages are removed from README.md and bench/bench.js. The package-lock.json file used in newer NPM versions is also added.
- Allow spaces in pointy-bracket link destinations.
- Adjust max length for decimal/numeric entities. See commonmark/commonmark-spec#487.
- Don't allow escaped spaces in link destination. Closes commonmark/commonmark-spec#493.
- Don't allow list items that are indented >= 4 spaces. See commonmark/commonmark-spec#497.
0.28.1 - 2017-08-02
- Update changelog (omitted in 0.28.0 release)
0.28.0 - 2017-08-02
- Update spec to 0.28.
- Align punctuation regex with spec (#121). Previously some ASCII
  punctuation characters were not being counted, so ^_test_ came out
  without emphasis, for example.
- Simplified a logical test, making it closer to the wording of the spec.
- Don't parse reference def if last ] is escaped (Comments on the foundational rework MicrosoftDocs/architecture-center#468).
  E.g.
```
[\ ]
[]: test
```
- Dingus Makefile: remove ref to obsolete html.js.
- Removed obsolete lib/xml.js (replaced by lib/render/xml.js).
- Allow tabs before and after ATX closing header (Erik Edrosa).
- Change precedence of Strong/Emph when both nestings possible.
  This accommodates the spec change to rule 14.
  Note that commonmark.js was not previously in conformity
  with rule 14 for things like ***hi****.
- Calculate "mulitple of 3" for delim runs based on original number
  of delims, not the number remaining after some have been
  used.
- Make esc() method abstract and overridable (muji).
- README: update documentation for overriding softbreak and esc (#118).
- Remove old XMLRenderer implementation (muji).
- package.json: use shorter form for repository.
- Don't export version in lib/index.js.
  Instead, users can get version from package.json:
  require('commonmark/package.json').version.
- Removed remnants of old html renderer (#113).
  Now we use lib/renderer/html.js.
- Hand-rolled parser for link destinations.
  This allows nested parens, as now required by the spec.
- Fix regression test example (Colin O'Dell).
- dingus: Fixed iframe on load.
0.27.0 - 2016-11-18
- Update spec to 0.27.
- Use correct name in DOCTYPE declaration for XML output.
  It should be document, not CommonMark.
- Fix Node type names in README (Jan Marthedal Rasmussen).
- Allow shortcut link before a (. See commonmark/commonmark-spec#427.
- Added all characters in Pc, Pd, Pe, Pf, Pi, Po, Ps to rePunctuation
  (#108, problem not recognizing East Asian punctuation).
- Allow tab after setext header line (#109).
- Recognize h2..h6 as block tags (see commonmark/commonmark-spec#430).
- Enforce spec's distinction between Unicode whitespace and regular whitespace
  (Timothy Gu, see commonmark/commonmark-spec#343). Per ECMA-262 6th Edition
  ("ECMAScript 2015") §21.2.2.12 [CharacterClassEscape], the JavaScript \s
  escape character matches the characters specified by "Unicode whitespace,"
  but not "whitespace." Rename the existing regular expression variable to
  UnicodeWhitespace, and create and use a new regular expression variable
  that only matches the limited set of "whitespace" characters.
- Removed unused definition.

from commonmark GitHub release notes

Commit messages

Package name: commonmark

21fb170 Regenerate dist.
e446513 Update package-lock.json.
ecc8175 Require recent serialize-javascript.
002ba28 eslint: add ecmaVersion: 2015 to config.
deef004 Treat textarea like script, style, pre (type 1 html block).
5c3c79a npm audit fix.
46bc1c5 Update spec.txt.
8c698a2 Version should be 0.29.2, not 0.30.1.
fc797cf Remove superfluous push to delimiter stack in handleDelim
98c25ab Update to 0.30.0, update changelog.
568add8 Upadet dist.
36f9a14 Upgrade acorn in package-lock.json (npm audit fix).
d5b42b0 Merge branch 'esmodules'
34f3bea Require recent minimist and fix other security audit issues.
89fe169 Require recent acorn version.
4d31982 Remove obsolete spec2js.js script
c18d2b4 Upgrade to entities 2.0+.
ca184f4 Remove test on node 8, 9 - only support actively maintained versions.
e3d1bc6 Run npm lint in ci.
bbd5a05 Fix generation of dist files for dingus.
9bcf45b Use esm for bin/commonmark.
2968e99 package.json: minimist is not a dev dependency.
435f7b8 Use esm for bench and test.
1549dd3 Fix 'make dist'.

Compare

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

👩‍💻 Set who automatically gets assigned

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Snyk has created this PR to upgrade commonmark from 0.27.0 to 0.29.2. See this package in npm: https://www.npmjs.com/package/commonmark See this project in Snyk: https://app.snyk.io/org/attawayinc/project/597350c1-45ac-47e6-924c-e1972bf1470a?utm_source=github&utm_medium=upgrade-pr

github-actions · 2021-09-01T00:10:58Z

This pull request has been inactive for 14 days. If you are finished with your changes, don't forget to sign off. See the contributor guide for instructions.
Other resources:

github-actions bot added the inactive label Sep 1, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Upgrade commonmark from 0.27.0 to 0.29.2 #62

[Snyk] Upgrade commonmark from 0.27.0 to 0.29.2 #62

snyk-bot commented Nov 7, 2020

github-actions bot commented Sep 1, 2021

[Snyk] Upgrade commonmark from 0.27.0 to 0.29.2 #62

Are you sure you want to change the base?

[Snyk] Upgrade commonmark from 0.27.0 to 0.29.2 #62

Conversation

snyk-bot commented Nov 7, 2020

Snyk has created this PR to upgrade commonmark from 0.27.0 to 0.29.2.

github-actions bot commented Sep 1, 2021