Skip to content

chore(deps): Bump markdown from 3.6 to 3.7#306

Merged
afsmeira merged 2 commits intomasterfrom
dependabot/pip/markdown-3.7
Mar 25, 2026
Merged

chore(deps): Bump markdown from 3.6 to 3.7#306
afsmeira merged 2 commits intomasterfrom
dependabot/pip/markdown-3.7

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Aug 19, 2024

Bumps markdown from 3.6 to 3.7.

Release notes

Sourced from markdown's releases.

Release 3.7

Changed

Refactor abbr Extension

A new AbbrTreeprocessor has been introduced, which replaces the now deprecated AbbrInlineProcessor. Abbreviation processing now happens after Attribute Lists, avoiding a conflict between the two extensions (#1460).

The AbbrPreprocessor class has been renamed to AbbrBlockprocessor, which better reflects what it is. AbbrPreprocessor has been deprecated.

A call to Markdown.reset() now clears all previously defined abbreviations.

Abbreviations are now sorted by length before executing AbbrTreeprocessor to ensure that multi-word abbreviations are implemented even if an abbreviation exists for one of those component words. (#1465)

Abbreviations without a definition are now ignored. This avoids applying abbr tags to text without a title value.

Added an optional glossary configuration option to the abbreviations extension. This provides a simple and efficient way to apply a dictionary of abbreviations to every page.

Abbreviations can now be disabled by setting their definition to "" or ''. This can be useful when using the glossary option.

Fixed

  • Fixed links to source code on GitHub from the documentation (#1453).
Changelog

Sourced from markdown's changelog.

[3.7] -- 2024-08-16

Changed

Refactor abbr Extension

A new AbbrTreeprocessor has been introduced, which replaces the now deprecated AbbrInlineProcessor. Abbreviation processing now happens after Attribute Lists, avoiding a conflict between the two extensions (#1460).

The AbbrPreprocessor class has been renamed to AbbrBlockprocessor, which better reflects what it is. AbbrPreprocessor has been deprecated.

A call to Markdown.reset() now clears all previously defined abbreviations.

Abbreviations are now sorted by length before executing AbbrTreeprocessor to ensure that multi-word abbreviations are implemented even if an abbreviation exists for one of those component words. (#1465)

Abbreviations without a definition are now ignored. This avoids applying abbr tags to text without a title value.

Added an optional glossary configuration option to the abbreviations extension. This provides a simple and efficient way to apply a dictionary of abbreviations to every page.

Abbreviations can now be disabled by setting their definition to "" or ''. This can be useful when using the glossary option.

Fixed

  • Fixed links to source code on GitHub from the documentation (#1453).
Commits
  • da03cd6 Bump version to 3.7
  • bd836a1 Update griffe_extensions to support Griffe v 1.0.
  • 33359fa Abbr Extension: Definition Sorting and Glossary storage
  • ec8c305 Refactor abbr Extension
  • 993b57b Fixed links to source code on GitHub from the documentation
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps): Bump markdown from 3.6 to 3.7
9666cbd 
Bumps [markdown](https://github.com/Python-Markdown/markdown) from 3.6 to 3.7.
- [Release notes](https://github.com/Python-Markdown/markdown/releases)
- [Changelog](https://github.com/Python-Markdown/markdown/blob/master/docs/changelog.md)
- [Commits](Python-Markdown/markdown@3.6...3.7)

---
updated-dependencies:
- dependency-name: markdown
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot requested a review from a team as a code owner August 19, 2024 17:47
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Aug 19, 2024
@afsmeira afsmeira requested a review from a team as a code owner March 25, 2026 12:15
@afsmeira afsmeira enabled auto-merge (squash) March 25, 2026 12:15
@github-actions github-actions Bot temporarily deployed to Netlify March 25, 2026 12:15 Inactive
@codacy-production
Copy link
Copy Markdown
Contributor

codacy-production Bot commented Mar 25, 2026

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity . 0 duplication
Metric Results
Complexity 0
Duplication 0

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

Run reviewer

TIP This summary will be updated as you push new changes. Give us feedback

@afsmeira afsmeira merged commit 324cc14 into master Mar 25, 2026
4 checks passed
@afsmeira afsmeira deleted the dependabot/pip/markdown-3.7 branch March 25, 2026 12:15
codacy-production[bot]
codacy-production Bot reviewed Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@codacy-production codacy-production Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

While the PR successfully updates the markdown dependency as intended, version 3.7 contains significant regressions in core extensions (toc, attr_list) and a known security vulnerability (CVE-2025-69534). Although Codacy results indicate the PR is 'up to standards', the specific findings on this version suggest it should not be merged. A direct upgrade to 3.8.1 is required to ensure stability and security.

About this PR

  • Updating to version 3.7 is discouraged due to a combination of functional regressions and a security vulnerability. Please target version 3.8.1 instead.

Test suggestions

  • Verify the dependency version update in the requirements file.
  • Verify markdown rendering functionality remains stable after the upgrade, specifically checking for regressions in the abbr extension refactor.
  • Execute regression tests specifically for toc and attr_list extensions to ensure compatibility with the new version.
Prompt proposal for missing tests 
Consider implementing these tests if applicable:
1. Verify markdown rendering functionality remains stable after the upgrade, specifically checking for regressions in the `abbr` extension refactor.
2. Execute regression tests specifically for `toc` and `attr_list` extensions to ensure compatibility with the new version.

🗒️ Improve review quality by adding custom instructions

Comment thread requirements.txt
@@ -1,5 +1,5 @@
mkdocs==1.6.0
markdown==3.6
markdown==3.7
Copy link
Copy Markdown
Contributor

@codacy-production codacy-production Bot Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 MEDIUM RISK

The update to markdown==3.7 introduces functional regressions in the toc and attr_list extensions. Additionally, it is flagged for a security vulnerability (CVE-2025-69534) that allows for Denial of Service attacks via malformed HTML sequences.

To resolve both the rendering issues and the security risk, please upgrade directly to version 3.8.1.

Suggested change
markdown==3.7
markdown==3.8.1

See Issue in Codacy

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@afsmeira afsmeira afsmeira approved these changes

+1 more reviewer

@codacy-production codacy-production[bot] codacy-production[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@afsmeira