Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade commonmark from 0.28.1 to 0.30.0 #3

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

snyk-bot
Copy link

Snyk has created this PR to upgrade commonmark from 0.28.1 to 0.30.0.

merge advice
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.


  • The recommended version is 5 versions ahead of your current version.
  • The recommended version was released a month ago, on 2021-06-20.
Release notes
Package name: commonmark
  • 0.30.0 - 2021-06-20
    • Update tests to 0.30 spec.txt.
    • Fix commonmark/cmark#383. Our optimization for emphasis parsing
      was flawed, leading to some corner cases where nested emphasis was
      parsed incorrectly.
    • Allow user to specify a function to escape the output (#217, newfivefour).
    • Simplify reThematicBreak.
    • Fix documentation for node.listType (TheWastl). The parser produces
      lowercase strings, but the README said the strings are capitalized.
    • Fix handling of type 7 HTML blocks (#213).
      They can't interrupt paragraphs (even with laziness).
    • Fix link label normalization with backslash before newline (#211).
    • Only match punctuation at the beginning of the string (Vladimir Pouzanov).
      This makes the punctuation use match reUnicodeWhitespaceChar usage
      in scanDelims. It's effectively a no-op, as char_after is expected
      to only contain a single character anyways.
    • Recognize '01' as start number 1 (#207).
    • Use rollup --banner to include license info.
    • Remove dist files from the repository. Instead we now generate them
      with pretest and prepublish scripts.
    • Simplify dingus Makefile.
    • Fix an iframe loading timing issue in the dingus (icyrockcom).
      Closes commonmark/commonmark-spec-web#15.
  • 0.29.3 - 2020-12-05
    • Fix some rough edges around ES modules (Kyle E. Mitchell)
      (#195, #201, #203):
      • Set module types via package.json files in subdirectories.
        A number of JavaScript files were rewritten as ES
        Modules, but their extensions remained .js. That
        extension is ambiguous to newer version of the Node.js
        runtime, which can load both CommonJS modules and ES
        Modules. To fix this, we add package.json files with
        type properties to the various subdirectories. Setting
        type to "module" tells Node.js to interpret .js
        files in that directory and below as ES Modules.
        Otherwise, Node.js falls back on the package.json at
        root, which currently sets type to "commonjs".
      • Make benchmark and test use commonjs again.
      • bin: remove use of ESM and use require('../').
        Node.js version 14, which supports ES Modules without any flag or the
        esm package, is currently in long-term support. But a great many
        folks still run older version of Node.js that either don't support ES
        Modules at all or hide that support behind a feature flag.
      • Import specific functions from entities package.
      • Update "Basic Usage" comment in lib/index.js.
    • Remove package-lock.json (Kyle E. Mitchell).
    • Fix 'make test' target so that dist is built.
    • reHtmlTag: don't use case-insensitive matching (#193).
      The spec specifies uppercase for declarations and CDATA.
    • Handle piped input from stdin in windows. Use file descriptor 0
      instead of '/dev/stdin'. Note that this allows piping but doesn't
      handle the case where users run bin/commonmark and enter input
      directly. See #198 for some relevant discussion.
    • Configure GitHub Actions to test on Node.js 14 and 15 (Kyle E. Mitchell).
    • Allow EOL in processing instructions (#196).
  • 0.29.2 - 2020-09-10
    • Use ES modules (Iddan Aaronsohn).
    • Improve and simplify reference link normalization (#168).
      We now use the built in str.toLowerCase().toUpperCase(), which
      @ rlidwka has shown does an accurate unicode case fold.
      This allows us to remove a huge lookup table and should
      both decrease the size of the library and speed things up.
    • Fix end source position for nested or indented fenrced code blocks.
      Improves on earlier fix to #141, which only worked for code blocks
      flush with the left margin.
    • Upgrade to entities 2.0+.
    • Fix generation of dist files for dingus.
    • Use esm for bin/commonmark, bench, test.
    • Use rollup uglify plugin to create minified dist.
    • Move dev dependencies to proper place in package.json.
    • Use rollup instead of browserify (Iddan Aaronsohn).
    • Reformat code with prettier (Iddan Aaronsohn).
    • Replace travis CI with GitHub Actions CI.
    • Bump versions of software to benchmark against.
    • Change jgm/commonmark.js to commonmark/commonmark.js (#126).
    • Security audit fixes.
    • Remove obsolete spec2js.js script
    • Remove test on node 9 and under. Only support actively maintained
      versions.
    • Run npm lint in ci.
  • 0.29.1 - 2020-01-09
    • Export Renderer (#162, Federico Ramirez). Export the Renderer
      class so consumers can use it as a base class for their own custom
      Renderer's. [API change]
    • Fix end source position for fenced code and raw HTML (#141).
    • Ensure that \ is treated as punctuation character (#161).
    • Remove redundant token from reHtmlBlockOpen (Vas Sudanagunta).
    • Remove unused variable reWhitespace.
    • Don't decode url before encoding it again (Daniel Berndt).
    • Don't allow link destinations with unbalanced unescaped parens (#177).
    • Don't put quote delims on stack if not --smart.
    • Don't add to delim stack if !can_open && !can_close (#172).
    • Remove no longer used argument to escapeXml (#169, Robin Stocker).
    • Avoid numerical conversion for file names in argv (#164, Alex Kocharin).
    • Adapt existing encoding-based regression test and add %25-based
      regression test (Daniel Berndt).
    • Add pathological test for #172 illustrating quadratic time bug.
    • Fix pathological case commonmark/cmark#178.
    • Add pathological test for cmark#178.
    • Dingus: remove debugging console.log.
    • Sync .editorconfig indent_size to actual (#178, Vas Sudanagunta).
    • Add lint rule for unused variables
    • Apply npm audit suggestions.
    • Fixed invalid package.json dependency entries (Vas Sudanagunta).
  • 0.29.0 - 2019-04-08
    • Update spec to 0.29.
    • Fix parsing of setext headers after reference link definitions.
    • Fix code span normalization to conform to spec change.
    • Allow empty destinations in link refs. See Empty destinations in link references commonmark/commonmark-spec#172.
    • Update link destination parsing.
    • dingus: add dependency version requirements (#159, Vas Sudanagunta). Dingus was rendering incorrectly with Bootstrap 4. Added a bower.json which requires Bootstrap, jQuery and Lodash with major version equal to what's currently live. Likewise the minimum patch version.
    • package.json: Add version for bower in devDependencies.
    • package.json - use ^ operator for versions.
    • Allow internal delim runs to match if both have lengths that are multiples of 3. See Interior strong+emph not parsed commonmark/commonmark-spec#528.
    • Remove now unused 'preserve_entities' option on escapeXml. This was formerly used (incorrectly) in the HTML renderer. It isn't needed any more. [API change]
    • html renderer: Don't preserve entities when rendering href, src, title, info string. This gives rise to double-encoding errors, when the original markdown is e.g. :, since the commonmark reader already unescapes entities. Thanks to Sebastiaan Knijnenburg for noticing this.
    • More efficient checking for loose lists. This fixes a case like commonmark/cmark#284.
    • Disallow unescaped ( in parenthesized link title.
    • Add pathological test (commonmark/cmark#285).
    • Comment out failing pathological test for now.
    • Add pathological tests for #157.
    • Fix two exponential regex backtracking vulnerabilities (#157, Anders Kaseorg). ESCAPED_CHAR already matches \\, so matching it again in another alternative was causing exponential complexity explosion. This makes the following behavior changes: [foo\\\] is no longer incorrectly accepted as a link reference. <foo\> is no longer incorrectly accepted as an angle-bracketed link destination.
    • package.json: require lodash >= 4.17.11.
    • Require cached-path-relative >= 1.0.2. This fixes a security vulnerability, but it's only in the dev dependencies.
    • Update fenced block parsing for spec change.
    • Require space before title in reference link. See commonmark/cmark#263.
    • Update code span normalization for spec change.
    • Removed meta from list of block tags. See commonmark/commonmark-spec#527.
    • make dist: ensure that comment line is included in dist files (#144). Also change URL to CommonMark/commonmark.js.
    • Use local development dependencies (#142, Lynn Kirby). Packages used during development are now listed in devDependencies of package.json. Makefiles are updated to use those local versions. References to manually installing packages are removed from README.md and bench/bench.js. The package-lock.json file used in newer NPM versions is also added.
    • Allow spaces in pointy-bracket link destinations.
    • Adjust max length for decimal/numeric entities. See commonmark/commonmark-spec#487.
    • Don't allow escaped spaces in link destination. Closes commonmark/commonmark-spec#493.
    • Don't allow list items that are indented >= 4 spaces. See commonmark/commonmark-spec#497.
  • 0.28.1 - 2017-08-02
    • Update changelog (omitted in 0.28.0 release)
from commonmark GitHub release notes
Commit messages
Package name: commonmark

Compare


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

@pull-request-quantifier-deprecated

This PR has 2 quantified lines of changes. In general, a change size of upto 200 lines is ideal for the best PR experience!


Quantification details

Label      : Extra Small
Size       : +1 -1
Percentile : 0.8%

Total files changed: 1

Change summary by file extension:
.json : +1 -1

Change counts above are quantified counts, based on the PullRequestQuantifier customizations.

Why proper sizing of changes matters

Optimal pull request sizes drive a better predictable PR flow as they strike a
balance between between PR complexity and PR review overhead. PRs within the
optimal size (typical small, or medium sized PRs) mean:

  • Fast and predictable releases to production:
    • Optimal size changes are more likely to be reviewed faster with fewer
      iterations.
    • Similarity in low PR complexity drives similar review times.
  • Review quality is likely higher as complexity is lower:
    • Bugs are more likely to be detected.
    • Code inconsistencies are more likely to be detetcted.
  • Knowledge sharing is improved within the participants:
    • Small portions can be assimilated better.
  • Better engineering practices are exercised:
    • Solving big problems by dividing them in well contained, smaller problems.
    • Exercising separation of concerns within the code changes.

What can I do to optimize my changes

  • Use the PullRequestQuantifier to quantify your PR accurately
    • Create a context profile for your repo using the context generator
    • Exclude files that are not necessary to be reviewed or do not increase the review complexity. Example: Autogenerated code, docs, project IDE setting files, binaries, etc. Check out the Excluded section from your prquantifier.yaml context profile.
    • Understand your typical change complexity, drive towards the desired complexity by adjusting the label mapping in your prquantifier.yaml context profile.
    • Only use the labels that matter to you, see context specification to customize your prquantifier.yaml context profile.
  • Change your engineering behaviors
    • For PRs that fall outside of the desired spectrum, review the details and check if:
      • Your PR could be split in smaller, self-contained PRs instead
      • Your PR only solves one particular issue. (For example, don't refactor and code new features in the same PR).

How to interpret the change counts in git diff output

  • One line was added: +1 -0
  • One line was deleted: +0 -1
  • One line was modified: +1 -1 (git diff doesn't know about modified, it will
    interpret that line like one addition plus one deletion)
  • Change percentiles: Change characteristics (addition, deletion, modification)
    of this PR in relation to all other PRs within the repository.


Was this comment helpful? 👍  :ok_hand:  :thumbsdown: (Email)
Customize PullRequestQuantifier for this repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant