Update dependency highlight.js to v10 [SECURITY]#23
Open
renovate[bot] wants to merge 1 commit intomasterfrom
Open
Update dependency highlight.js to v10 [SECURITY]#23renovate[bot] wants to merge 1 commit intomasterfrom
renovate[bot] wants to merge 1 commit intomasterfrom
Conversation
44894b2 to
5848ab9
Compare
5848ab9 to
814095f
Compare
814095f to
b8ec5c0
Compare
b8ec5c0 to
44b5254
Compare
44b5254 to
0e59c7a
Compare
0e59c7a to
7c49080
Compare
7c49080 to
edbb22d
Compare
edbb22d to
c45ae59
Compare
c45ae59 to
7757490
Compare
7757490 to
079c54d
Compare
079c54d to
4e51773
Compare
4e51773 to
b988bf0
Compare
b988bf0 to
a0ddbc8
Compare
a0ddbc8 to
dabad97
Compare
46c6b85 to
528559b
Compare
528559b to
a8581b8
Compare
a8581b8 to
d85f792
Compare
d85f792 to
d7c7a64
Compare
d7c7a64 to
ba4387c
Compare
ba4387c to
1da1ed2
Compare
1da1ed2 to
082c70b
Compare
082c70b to
93289f9
Compare
93289f9 to
8618568
Compare
8618568 to
fd23b5c
Compare
fd23b5c to
0771bd2
Compare
0771bd2 to
2e66dcb
Compare
2e66dcb to
109c5a5
Compare
109c5a5 to
354066e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^9.12.0→^10.4.1GitHub Vulnerability Alerts
GHSA-7wwv-vh3v-89cq
Impact: Potential ReDOS vulnerabilities (exponential and polynomial RegEx backtracking)
oswasp:
If are you are using Highlight.js to highlight user-provided data you are possibly vulnerable. On the client-side (in a browser or Electron environment) risks could include lengthy freezes or crashes... On the server-side infinite freezes could occur... effectively preventing users from accessing your app or service (ie, Denial of Service).
This is an issue with grammars shipped with the parser (and potentially 3rd party grammars also), not the parser itself. If you are using Highlight.js with any of the following grammars you are vulnerable. If you are using
highlightAutoto detect the language (and have any of these grammars registered) you are vulnerable. Exponential grammars (C, Perl, JavaScript) are auto-registered when using the common grammar subset/libraryrequire('highlight.js/lib/common')as of 10.4.0 - see https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@10.4.0/build/highlight.jsAll versions prior to 10.4.1 are vulnerable, including version 9.18.5.
Grammars with exponential backtracking issues:
And of course any aliases of those languages have the same issue. ie:
hppis no safer thancpp.Grammars with polynomial backtracking issues:
And again: any aliases of those languages have the same issue. ie:
rubyandrbshare the same ruby issues.Patches
Workarounds / Mitigations
References
For more information
If you have any questions or comments about this advisory:
Release Notes
highlightjs/highlight.js (highlight.js)
v10.4.1Compare Source
Security
Very grateful to Michael Schmidt for all the help.
v10.4.0Compare Source
A largish release with many improvements and fixes from quite a few different contributors. Enjoy!
Deprecations:
requireLanguageis deprecated.getLanguage(with custom error handling) or built-time dependencies.Parser:
beginKeywordssupport (#2813) Josh GoebelclassNameAliasesfor more complex grammars Josh GoebelclassNameAliasesfor more complex grammars Josh GoebelNew Languages:
node-replfor Node.js REPL sessions (#2792) Marat NagayevLanguage Improvements:
~(#2859) Guillaume Grossetie\(#2861) Guillaume Grossetie\[Gamma]#Marcus Ortizsomekeyword Marcus Ortiz@mainattribute Marcus OrtizDev Improvements:
New themes:
v10.3.2: - Oops, "Javascript".Compare Source
Tiny tiny release, just to fix the website incorrectly not listing Javascript
in the list of languages you could choose for a custom build. NPM and CDN
build should not have been affected so 10.3.1 is effectively the same as
10.3.2 for those builds.
If you made a custom build from the website with 10.3 or 10.3.1 you may
want to check and make sure it includes Javascript, and if not, build it again.
v10.3.1Compare Source
Prior version let some look-behind regex sneak in, which does not work
yet on Safari. This release removes those incompatible regexes.
Fix:
v10.3.0Compare Source
Language Improvements:
enum (struct|class)andunion(#2752) [Josh Goebel][]{}inside template literals SUBST expression (#2748) [Josh Goebel][]constructoris now highlighted as a function title (not keyword) (#2727) [Josh Goebel][]#for private class fields (#2701) Chris Krycho(*)from being detected as a multi-line comment [Josh Goebel][]objective-c++andobj-c++aliases for Objective-C [Josh Goebel][]record(#2685) [Josh Goebel][]title(#2683) [Josh Goebel][]final) in class declaration (#2696) [Josh Goebel][]matchkeyword and addphp8as an alias (#2733) Ayesh KarunaratneDeprecations:
useBRoption deprecated and will be removed in v11.0. (#2559) [Josh Goebel][]v10.2.1Compare Source
Parser Engine:
v10.2.0Compare Source
Parser Engine:
New themes:
Deprecations:
fixMarkupis now deprecated and will be removed in v11.0. (#2534) Josh GoebelBig picture:
Language Improvements:
initandrecordkeywords for C# 9.0 (#2660) Youssef Victorargumentskeyword and fixenumerationkeyword (#2619) Andrew JankegetLanguage(#2636) nightenum, which will identify as aclassnow (#2643) ezksdv10.1.2Compare Source
Fixes:
getLanguage(#2636) nightv10.1.1Compare Source
Fixes:
index.d.ts is not a moduleerror (#2603) Josh Goebelv10.1.0Compare Source
New themes:
Parser Engine:
keywords.$patternkey to grammar definitions (#2519) Josh GoebelregisterAliasesmethod (#2540) [Taufik Nurrohman][]on:begincallback for modes (#2261) Josh Goebelon:endcallback for modes (#2261) Josh GoebelEND_SAME_AS_BEGINmode to replaceendSameAsBeginparser attribute (#2261) Josh GoebelfixMarkupwould rarely destroy markup whenuseBRwas enabled (#2532) Josh GoebelDeprecations:
htmlbarsgrammar is now deprecated. Usehandlebarsinstead. (#2344) Nils KnappmeierhighlightBlockresult.redeprecated. Useresult.relevanceinstead. (#2552) Josh Goebelresult.second_best.re=>result.second_best.relevance(#2552)lexemesis now deprecated in favor ofkeywords.$patternkey (#2519) Josh GoebelendSameAsBeginis now deprecated. (#2261) Josh GoebelLanguage Improvements:
readonlykeyword (#2562) Martin (Lhoerion)OPTIMIZE:andHACK:to the labels highlighted inside comments Josh Goebelpair,make_pair,priority_queueas built-ins (#2538) Hankun Linpriority_queuepairas cpp containers (#2541) Hankun Linsetkeyword conflicting with setTimeout, etc. (#2514) Vania Kucher=>function with nested()in params now works (#2502) Josh Goebel=>function with nested()in params now works (#2502) Josh Goebel@objcMemberswas being partially highlighted (#2543) Nick Randalllateandrequiredkeywords, theNeverbuilt-in type, and nullable built-in types (#2550) Sam Rawlinsv10.0.3Compare Source
v10.0.2Compare Source
Brower build:
Parser Engine Changes:
v10.0.1Compare Source
Parser Engine Changes:
v10.0.0Compare Source
New languages:
python-replfor Python REPL sessionsNew themes:
Parser Engine Changes:
beginKeywordsto ignore . matches (#2434) Josh Goebelbefore:highlightplugin API callback (#2395) Josh Goebelafter:highlightplugin API callback (#2395) Josh Goebelnameattribute now (#2400) Josh GoebelnoHighlightReandlanguagePrefixReconfigurable (#2374) Josh GoebelLanguage Improvements:
compactMapto keywords as built_in (#2478) Omid Golparvarfunckeyword (#2468) Adnan Yaqoobdefn-properly (#2438) Josh Goebel@identifierstyle identifiers (#2414) Josh Goebeldenyandallowkeywords Josh Goebel<?=syntax to meta Taufik Nurrohmanrpcwhen followed by a block (#) Josh Goebelwherekeyword as class constraint (#2378) Josh Goebeltextandtxtas alias (#2360) Taufik NurrohmanDeveloper Tools:
v9.18.1Compare Source
Grammar Improvements:
v9.18.0Compare Source
New languages:
New themes:
Core Changes:
Language Improvements:
blockandendblockkeywords (#2343) Philipp EngelA::typeName func(...)) (#2332) Josh GoebelA::functionName) (#2332) Josh Goebelint8_t, etc.) as function types (#2332) Josh GoebelDeveloper Tools:
v9.17.1Compare Source
Fixes:
v9.17.0Compare Source
New languages:
New themes:
Core Improvements:
createElementNStocreateElement(#2314) Josh Goebelselfmode at the top-level of a language (#2294) Josh GoebelLanguage Improvements:
ifgetting confused as an f-string (#2200) Josh Goebel and Carl Baxtercalc(2px+3px)(#2241)v9.16.2Compare Source
New languages:
none.
New styles:
none.
Improvements:
v9.16.1Compare Source
New languages:
none.
New styles:
Improvements:
!~method definition (#2222)@dynamicMemberLookupand@propertyWrapper(#2202)endWithParentinsidestartsnow always works (#2201)vbscriptas potential script tag subLanguagefuturebuilt-in (#1610)v9.15.10Compare Source
New languages:
none.
New styles:
none.
Improvements:
scripttags (#1690)v9.15.9Compare Source
Improvements:
v9.15.8Compare Source
New languages:
none.
New styles:
none.
Improvements:
v9.15.7Compare Source
New languages:
none.
New styles:
none.
Improvements:
v9.15.6Compare Source
New languages:
none.
New styles:
none.
Improvements:
v9.15.5Compare Source
New languages:
none.
New styles:
none.
Improvements:
🔥 Hot fix: updated build tool.
v9.15.2Compare Source
New languages:
none.
New styles:
none.
Improvements:
🔥 Hot fix that was preventing highlight.js from installing.
v9.15.1Compare Source
New languages:
none.
New styles:
none.
Improvements:
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.