This repository has been archived by the owner on Oct 1, 2024. It is now read-only.
Update dependency prismjs to v1.27.0 [SECURITY] #75
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.15.0
->1.27.0
GitHub Vulnerability Alerts
CVE-2020-15138
Impact
The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer.
This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the Previewers plugin (>=v1.10.0) or the Previewer: Easing plugin (v1.1.0 to v1.9.0).
Patches
This problem is patched in v1.21.0.
Workarounds
To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.
References
The vulnerability was introduced by this commit on Sep 29, 2015 and fixed by Masato Kinugawa (#2506).
For more information
If you have any questions or comments about this advisory, please open an issue.
CVE-2021-23341
The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the
prism-asciidoc
,prism-rest
,prism-tap
andprism-eiffel
components.CVE-2021-32723
Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS).
Impact
When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. Do not use the following languages to highlight untrusted text.
Other languages are not affected and can be used to highlight untrusted text.
Patches
This problem has been fixed in Prism v1.24.
References
CVE-2021-3801
Prism is a syntax highlighting library. The prismjs package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide a crafted HTML comment as input may cause an application to consume an excessive amount of CPU.
CVE-2022-23647
Impact
Prism's Command line plugin can be used by attackers to achieve an XSS attack. The Command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code.
Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted.
Patches
This bug has been fixed in v1.27.0.
Workarounds
Do not use the Command line plugin on untrusted inputs, or sanitized all code blocks (remove all HTML code text) from all code blocks that use the Command line plugin.
References
Release Notes
PrismJS/prism (prismjs)
v1.27.0
Compare Source
New components
3f8cc5a0
Updated components
bcb2e2c8
section
fromkeyword
toselector
(#3305)e46501b9
header
forsection
(#3304)deb3a97f
8458c41f
$
(#3320)d6c53726
441a1422
operator
forpunctuation
(#3306)2eb89e15
Updated plugins
e002e78c
1784b175
82d0ca15
Other
2cc4660b
v1.26.0
Compare Source
New components
b5a70e4c
8476a9ab
d908e457
ec25ba65
ef53f021
Updated components
\d
for[0-9]
(#3097)9fe2f93e
929c33e0
class-name
standard token (#3182)9f5e511d
fa540ab7
ino
alias (#2990)5b7ce5e4
c7809285
node
to known commands (#3291)4b19b502
vcpkg
command (#3282)b351bc69
docker
andpodman
commands (#3237)8c5ed251
d7017beb
variable
and minor improvements (#3186)4cebf34c
directive
greedy (#3112)5c412cbb
char
token (#3207)d85a64ae
char
token (#3270)220bc40f
9ed4cf6e
char
token (#3188)1c88c7da
7b34e65d
a943f2bb
2f9672aa
51e3ecc0
symbol
token name (#3195)6af8a644
dafdbdec
e1370357
532212b2
property
forkey
; alias withattr-name
(#3272)bee6ad56
builtin
name (#3198)6add768b
736c581d
336edeea
char
token (#3271)b58cd722
ee7ab563
operator
token and added tests (#3114)d359eeae
char
token and improvedstring
andnumber
tokens (#3208)f11b86e2
8494519e
symbol
alias for filter names (#3210)3d410670
005ba469
f41bcf23
81920b62
3362fc79
22d0c6ba
0f1b5810
3d708b97
15cb3b78
c2afa59b
5af16014
char
token (#3217)0a9f909c
fa55492b
cfb2e782
number
pattern (#3149)5a24cbff
3b2238fa
dfbb2020
233415b8
23d9aec1
char
token (#3223)3a876df0
baa95cab
char
token and improved string interpolation (#3225)563cd73e
6b168a3b
05e7ab04
defun
(#3130)e8f84a6c
21a3c2d7
00f77a2c
e9b856c8
c6574e6b
c1025aa6
642d93ec
7b72e0ad
char
token and made some tokens greedy (#3231)2334b4b6
75331bea
5bf6e35f
dc1e808f
comment
greedy (#3234)969f152a
adcc8784
55583fb2
string
token (#3235)8e0e95f3
7bcc5da0
314d6994
a3905c04
f053af13
boolean
token (#3248)a5b6c5eb
f22ea9f9
ee62a080
scope
andthis
(#3243)59ef51db
e7ba877b
5688f487
data-type
alternative (#3122)eeb13996
d30a2da6
5ee8c557
bacf9ae3
0390e644
asm
token (#3123)f3b25786
comment
greedy (#3249)8ecef306
match
andcase
(soft) keywords (#3142)3f24dc72
18bd101c
2c63efa6
string
greedy (#3250)1e6dcb51
18c92048
parameter
token (#3090)0a313f4f
809af0d9
4dde2e20
ede55b2c
char
token (#3252)2069ab0c
86028adb
type-definition
and use standard tokens correctly (#3253)4049e5c6
char
token (#3254)7d740c45
4eb81fa1
char
token (#3255)a7bb3001
boolean
token (#3100)51382524
acc0bc09
4e00cddd
char
token (#3256)58a65bfd
afd77ed1
d04d166d
isolated
keyword (#3174)18c828a6
3ef71533
regex
token (#3257)c56e4bf5
e03a7c24
91060fd6
599e30ee
char
token (#3260)e4373256
43124129
aa73d448
a28a86ad
ffd8343f
deed35e3
char
token (#3264)c3f9fb70
09a0e2ba
Updated plugins
d38592c5
drop-tokens
option class (#3166)b679cfe6
highlightLines
function asPrism.plugins.highlightLines
(#3086)9f4c0e74
z-index
of.toolbar
to 10 (#3163)1cac3559
Updated themes
z-index
to make shadows visible in colored table cells (#3161)79f250f3
a6a4ce7e
Other
setLanguage
util function (#3167)b631949a
a80a68ba
disableWorkerMessageHandler
(#3088)213cf7be
.html.test
files for replace.js
language tests (#3148)2e834c8c
5333e281
TestCaseFile
class and generalizedrunTestCase
(#3147)ae8888a0
344d0b27
a394a14d
2f7f7364
package.json
: Addedengines.node
field (#3108)798ee4f6
package(-lock).json
(#3098)8daebb4a
[email protected]
(#3091)e6e1d5ae
d63d6c0e
6f1d904a
6c21b2f7
9d5424b6
cefccdd1
0ecdbdce
4433d7fe
746da79b
ebd59e32
37551200
31b4c1b8
ea361e5a
c5629706
faedfe85
3d96eedc
v1.25.0
Compare Source
New components
746a4b1a
87e5a376
c1dce998
23cd9b65
4f97b82b
ea776756
e008ea05
a1b67ce3
4fbdd2f8
148c1eca
4433ccfc
8df825e0
6a356d25
Updated components
748bb9ac
with
keyword & improved record support (#2993)fdd291c0
record
,init
, andnullable
keyword (#2991)9b561565
from
keyword (#2970)158f25d4
5de8947f
8d0b74b5
9c8911bd
693b7433
empty
keyword (#2997)fe3bc526
b0365e70
52e8cee9
0ff371bb
∀
a keyword (alias forforall
) (#3005)b38fc89a
679539ec
6f5d68f7
14fdfe32
35b88fcf
4492b62b
8541db2e
@propertyWrapper
,@MainActor
, and@globalActor
(#3009)ce5e0f01
bb93fac0
212e0ef2
Updated plugins
5126d1e1
e289ec60
63edf14c
c7b6a7f6
Updated themes
ffb20439
Other
44456b21
e997dd35
d216e602
247fd9a3
v1.24.1
Compare Source
Updated components
151121cd
Updated plugins
748ecddc
v1.24.0
Compare Source
New components
b0a6ec85
3f7d7453
7e5f78ff
41e25d3c
f9b69528
1f91868e
99a21dc5
bf4e7ba9
e9314415
7e51b99c
3419fb77
2bc6475b
f84c49c5
1a2347a3
18c67b49
1b63cd01
e38986f9
fd1081d2
bbc77d19
72962701
c4f6b2cc
Updated components
regexp/no-dupe-disjunctions
(#2952)f471d2d7
79d22182
d85e30da
ea82478d
fc2a3334
e4ad22ad
e5cfdb4a
::
punctuation (#2814)3df62fd0
88fa72cf
d0bcd074
93dd83c2
114e4626
e6c0d298
defdelagate
keyword and highlighting for function/module names (#2709)59f725d7
a5d7178c
definition-query
anddefinition-mutation
tokens (#2964)bfd7fded
34f24ac9
hbs
alias (#2874)43976351
1dfc8271
6183fd9b
4e7b2a82
42d24fa2
4ec7535c
ab7c9953
415651a0
9c610ae6
022f90a0
abab9104
cf28d1b2
ac1d12f9
45ec4a88
e9477d83
wrap
hook (#2719)2b355c98
8dbbbb35
5943f4cb
87d79390
cf3755cb
fn
keyword (#2858)e0ee93f1
7e8cd40d
8019e2f6
f79b0eef
04ef309c
01af04ed
9f59f52d
30b0444f
inline
pattern (#2946)a7656de6
20b77bff
3786f396
f08c2f7f
0e61a7e1
1c6c0bf3
cda976b1
c83fd0b8
ILIKE
operator (#2704)6e34771f
some
keyword (#2756)cf354ef5
fe98d536
31cc2142
a68f1fb6
REM
is no longer highlighted as a keyword in comments (#2823)ebbbfd47
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.