[Snyk] Upgrade commonmark from 0.28.1 to 0.30.0

[snyk-bot]

Snyk has created this PR to upgrade commonmark from 0.28.1 to 0.30.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 5 versions ahead of your current version.
• The recommended version was released a month ago, on 2021-06-20.

Release notes

Package name: commonmark

• 0.30.0 - 2021-06-20
  
  • Update tests to 0.30 spec.txt.
  • Fix commonmark/cmark#383. Our optimization for emphasis parsing
    was flawed, leading to some corner cases where nested emphasis was
    parsed incorrectly.
  • Allow user to specify a function to escape the output (#217, newfivefour).
  • Simplify reThematicBreak.
  • Fix documentation for node.listType (TheWastl). The parser produces
    lowercase strings, but the README said the strings are capitalized.
  • Fix handling of type 7 HTML blocks (#213).
    They can't interrupt paragraphs (even with laziness).
  • Fix link label normalization with backslash before newline (#211).
  • Only match punctuation at the beginning of the string (Vladimir Pouzanov).
    This makes the punctuation use match reUnicodeWhitespaceChar usage
    in scanDelims. It's effectively a no-op, as char_after is expected
    to only contain a single character anyways.
  • Recognize '01' as start number 1 (#207).
  • Use rollup --banner to include license info.
  • Remove dist files from the repository. Instead we now generate them
    with pretest and prepublish scripts.
  • Simplify dingus Makefile.
  • Fix an iframe loading timing issue in the dingus (icyrockcom).
    Closes commonmark/commonmark-spec-web#15.
• 0.29.3 - 2020-12-05
  
  • Fix some rough edges around ES modules (Kyle E. Mitchell)
    (#195, #201, #203):
    • Set module types via package.json files in subdirectories.
      A number of JavaScript files were rewritten as ES
      Modules, but their extensions remained .js. That
      extension is ambiguous to newer version of the Node.js
      runtime, which can load both CommonJS modules and ES
      Modules. To fix this, we add package.json files with
      type properties to the various subdirectories. Setting
      type to "module" tells Node.js to interpret .js
      files in that directory and below as ES Modules.
      Otherwise, Node.js falls back on the package.json at
      root, which currently sets type to "commonjs".
    • Make benchmark and test use commonjs again.
    • bin: remove use of ESM and use require('../').
      Node.js version 14, which supports ES Modules without any flag or the
      esm package, is currently in long-term support. But a great many
      folks still run older version of Node.js that either don't support ES
      Modules at all or hide that support behind a feature flag.
    • Import specific functions from entities package.
    • Update "Basic Usage" comment in lib/index.js.
  • Remove package-lock.json (Kyle E. Mitchell).
  • Fix 'make test' target so that dist is built.
  • reHtmlTag: don't use case-insensitive matching (#193).
    The spec specifies uppercase for declarations and CDATA.
  • Handle piped input from stdin in windows. Use file descriptor 0
    instead of '/dev/stdin'. Note that this allows piping but doesn't
    handle the case where users run bin/commonmark and enter input
    directly. See #198 for some relevant discussion.
  • Configure GitHub Actions to test on Node.js 14 and 15 (Kyle E. Mitchell).
  • Allow EOL in processing instructions (#196).
• 0.29.2 - 2020-09-10
  
  • Use ES modules (Iddan Aaronsohn).
  • Improve and simplify reference link normalization (#168).
    We now use the built in str.toLowerCase().toUpperCase(), which
    @ rlidwka has shown does an accurate unicode case fold.
    This allows us to remove a huge lookup table and should
    both decrease the size of the library and speed things up.
  • Fix end source position for nested or indented fenrced code blocks.
    Improves on earlier fix to #141, which only worked for code blocks
    flush with the left margin.
  • Upgrade to entities 2.0+.
  • Fix generation of dist files for dingus.
  • Use esm for bin/commonmark, bench, test.
  • Use rollup uglify plugin to create minified dist.
  • Move dev dependencies to proper place in package.json.
  • Use rollup instead of browserify (Iddan Aaronsohn).
  • Reformat code with prettier (Iddan Aaronsohn).
  • Replace travis CI with GitHub Actions CI.
  • Bump versions of software to benchmark against.
  • Change jgm/commonmark.js to commonmark/commonmark.js (#126).
  • Security audit fixes.
  • Remove obsolete spec2js.js script
  • Remove test on node 9 and under. Only support actively maintained
    versions.
  • Run npm lint in ci.
• 0.29.1 - 2020-01-09
  
  • Export Renderer (#162, Federico Ramirez). Export the Renderer
    class so consumers can use it as a base class for their own custom
    Renderer's. [API change]
  • Fix end source position for fenced code and raw HTML (#141).
  • Ensure that \ is treated as punctuation character (#161).
  • Remove redundant token from reHtmlBlockOpen (Vas Sudanagunta).
  • Remove unused variable reWhitespace.
  • Don't decode url before encoding it again (Daniel Berndt).
  • Don't allow link destinations with unbalanced unescaped parens (#177).
  • Don't put quote delims on stack if not --smart.
  • Don't add to delim stack if !can_open && !can_close (#172).
  • Remove no longer used argument to escapeXml (#169, Robin Stocker).
  • Avoid numerical conversion for file names in argv (#164, Alex Kocharin).
  • Adapt existing encoding-based regression test and add %25-based
    regression test (Daniel Berndt).
  • Add pathological test for #172 illustrating quadratic time bug.
  • Fix pathological case commonmark/cmark#178.
  • Add pathological test for cmark#178.
  • Dingus: remove debugging console.log.
  • Sync .editorconfig indent_size to actual (#178, Vas Sudanagunta).
  • Add lint rule for unused variables
  • Apply npm audit suggestions.
  • Fixed invalid package.json dependency entries (Vas Sudanagunta).
• 0.29.0 - 2019-04-08
  
  • Update spec to 0.29.
  • Fix parsing of setext headers after reference link definitions.
  • Fix code span normalization to conform to spec change.
  • Allow empty destinations in link refs. See Empty destinations in link references commonmark/commonmark-spec#172.
  • Update link destination parsing.
  • dingus: add dependency version requirements (#159, Vas Sudanagunta). Dingus was rendering incorrectly with Bootstrap 4. Added a bower.json which requires Bootstrap, jQuery and Lodash with major version equal to what's currently live. Likewise the minimum patch version.
  • package.json: Add version for bower in devDependencies.
  • package.json - use ^ operator for versions.
  • Allow internal delim runs to match if both have lengths that are multiples of 3. See Interior strong+emph not parsed commonmark/commonmark-spec#528.
  • Remove now unused 'preserve_entities' option on escapeXml. This was formerly used (incorrectly) in the HTML renderer. It isn't needed any more. [API change]
  • html renderer: Don't preserve entities when rendering href, src, title, info string. This gives rise to double-encoding errors, when the original markdown is e.g. :, since the commonmark reader already unescapes entities. Thanks to Sebastiaan Knijnenburg for noticing this.
  • More efficient checking for loose lists. This fixes a case like commonmark/cmark#284.
  • Disallow unescaped ( in parenthesized link title.
  • Add pathological test (commonmark/cmark#285).
  • Comment out failing pathological test for now.
  • Add pathological tests for #157.
  • Fix two exponential regex backtracking vulnerabilities (#157, Anders Kaseorg). ESCAPED_CHAR already matches \\, so matching it again in another alternative was causing exponential complexity explosion. This makes the following behavior changes: [foo\\\] is no longer incorrectly accepted as a link reference. <foo\> is no longer incorrectly accepted as an angle-bracketed link destination.
  • package.json: require lodash >= 4.17.11.
  • Require cached-path-relative >= 1.0.2. This fixes a security vulnerability, but it's only in the dev dependencies.
  • Update fenced block parsing for spec change.
  • Require space before title in reference link. See commonmark/cmark#263.
  • Update code span normalization for spec change.
  • Removed meta from list of block tags. See commonmark/commonmark-spec#527.
  • make dist: ensure that comment line is included in dist files (#144). Also change URL to CommonMark/commonmark.js.
  • Use local development dependencies (#142, Lynn Kirby). Packages used during development are now listed in devDependencies of package.json. Makefiles are updated to use those local versions. References to manually installing packages are removed from README.md and bench/bench.js. The package-lock.json file used in newer NPM versions is also added.
  • Allow spaces in pointy-bracket link destinations.
  • Adjust max length for decimal/numeric entities. See commonmark/commonmark-spec#487.
  • Don't allow escaped spaces in link destination. Closes commonmark/commonmark-spec#493.
  • Don't allow list items that are indented >= 4 spaces. See commonmark/commonmark-spec#497.
• 0.28.1 - 2017-08-02
  
  • Update changelog (omitted in 0.28.0 release)

from commonmark GitHub release notes

Commit messages

Package name: commonmark

• 961387c Update changelog.
• 320b4b7 Official 0.30 spec.txt.
• e77722a Simplify dingus Makefile.
• 744fcd9 Bump to 0.30.0
• a6ab293 Dingus: tweak bootstrap version
• e708628 Better fix for cmark #383 regression.
• 79d7756 Revert "Fix counterpart to Incorrect emphasis handling commonmark/cmark#383."
• 519f940 Bump markdown-it and marked versions for benchmarks.
• 10ed0d0 Fix counterpart to Incorrect emphasis handling commonmark/cmark#383.
• a9a0262 Fix regression test.
• 28a8358 Add failing regression test.
• 31ab949 Update test/spec.txt.
• 5f99294 Require lodash 4.17.21 or later.
• 80f63d1 Allow user to specify a function to escape the output (#217)
• 7027b34 Fixes an iframe loading timing issue
• 0af2fcb Simplify reThematicBreak.
• 26668e0 Fix documentation for `node.listType`
• 8f1a23f Fix handling of type 7 HTML blocks.
• 3c1ef74 Fix link label normalization with backslash before newline.
• 1e4ebca Only match punctuation at the beginning of the string
• 4f570c8 Add note about unpkg
• 83ca760 Remove obsolete 'make -C .. dist' from dingus Makefile.
• ed273c3 Makefile - remove obsolete uglify reference.
• 62bca43 README: re-add note on bower intsall.

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[pull-request-quantifier-deprecated]

This PR has 2 quantified lines of changes. In general, a change size of upto 200 lines is ideal for the best PR experience!

---

Quantification details

Label      : Extra Small
Size       : +1 -1
Percentile : 0.8%

Total files changed: 1

Change summary by file extension:
.json : +1 -1

Change counts above are quantified counts, based on the PullRequestQuantifier customizations.

Why proper sizing of changes matters

Optimal pull request sizes drive a better predictable PR flow as they strike a
balance between between PR complexity and PR review overhead. PRs within the
optimal size (typical small, or medium sized PRs) mean:

• Fast and predictable releases to production:
  • Optimal size changes are more likely to be reviewed faster with fewer
    iterations.
  • Similarity in low PR complexity drives similar review times.
• Review quality is likely higher as complexity is lower:
  • Bugs are more likely to be detected.
  • Code inconsistencies are more likely to be detetcted.
• Knowledge sharing is improved within the participants:
  • Small portions can be assimilated better.
• Better engineering practices are exercised:
  • Solving big problems by dividing them in well contained, smaller problems.
  • Exercising separation of concerns within the code changes.

What can I do to optimize my changes

• Use the PullRequestQuantifier to quantify your PR accurately
  • Create a context profile for your repo using the context generator
  • Exclude files that are not necessary to be reviewed or do not increase the review complexity. Example: Autogenerated code, docs, project IDE setting files, binaries, etc. Check out the Excluded section from your prquantifier.yaml context profile.
  • Understand your typical change complexity, drive towards the desired complexity by adjusting the label mapping in your prquantifier.yaml context profile.
  • Only use the labels that matter to you, see context specification to customize your prquantifier.yaml context profile.
• Change your engineering behaviors
  • For PRs that fall outside of the desired spectrum, review the details and check if:
    • Your PR could be split in smaller, self-contained PRs instead
    • Your PR only solves one particular issue. (For example, don't refactor and code new features in the same PR).

How to interpret the change counts in git diff output

• One line was added: +1 -0
• One line was deleted: +0 -1
• One line was modified: +1 -1 (git diff doesn't know about modified, it will
  interpret that line like one addition plus one deletion)
• Change percentiles: Change characteristics (addition, deletion, modification)
  of this PR in relation to all other PRs within the repository.

---

Was this comment helpful? 👍  :ok_hand:  :thumbsdown: (Email)
Customize PullRequestQuantifier for this repository.