Skip to content

v4.7.1

Latest

Choose a tag to compare

@jaredwray jaredwray released this 23 Jun 19:28
57bfd14

@jaredwray/fumanchu@4.7.1 — 2026-06-23

Maintenance and security release: hardens the md helper against XSS, clears a markdown-it DoS advisory, and refreshes runtime and tooling dependencies.

Security

  • The md/markdown helper no longer HTML-entity-decodes its rendered output — markdown-it's escaping is now preserved (8c3c0f3, #230). The previous decodeHTML(md.render(...)) step enabled attribute-breakout XSS (e.g. an alt-text payload injecting a live onerror handler) and corrupted URLs whose query params began with a legacy entity name (e.g. &region). The ent dependency was removed with no replacement.
    • Behavior change: entities in markdown output are now preserved rather than decoded.

      {{md "&"}}
      {{!-- v4.7.0: <p>&</p>  →  v4.7.1: <p>&amp;</p> --}}
  • Upgrade markdown-it 14.1.1 → 14.2.0 (12c0c49, #226), resolving a moderate quadratic-complexity DoS advisory in the smartquotes rule (a shipped runtime dependency).

Internal

  • Upgrade runtime dependencies: @cacheable/memory 2.0.8 → 2.0.9 (285e799, #227), chrono-node 2.9.0 → 2.9.1 (8507644, #228), dayjs 1.11.20 → 1.11.21 (30d1874, #229).
  • Upgrade dev/build tooling: code-quality deps + migrate to pnpm 11 (416e012, #222), TypeScript and build tooling (d39c0bb, #223), docula 1.13.0 → 2.1.0 (965c78a, #225).
  • Upgrade GitHub Actions to their latest major versions (5e5b1fe, #224).
  • Publish to npm via OIDC trusted publishing with provenance, dropping the long-lived NPM_TOKEN (6bd13c2, #232).

Documentation

  • Add a GitHub repository link to the website top navigation (3ddbe20, #231).

Contributors

Full List of Changes

Full diff: v4.7.0...v4.7.1