Skip to content

fix(deps): update dependency markdown-it to v14 [security]#77

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-markdown-it-vulnerability
Open

fix(deps): update dependency markdown-it to v14 [security]#77
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-markdown-it-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Feb 14, 2026

This PR contains the following updates:

Package Change Age Confidence
markdown-it ^13.0.1^14.0.0 age confidence

GitHub Vulnerability Alerts

CVE-2026-2327

Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character, which triggers excessive backtracking and may lead to a denial-of-service condition.

Release Notes

markdown-it/markdown-it (markdown-it)

v14.1.1

Compare Source

Security
  • Fixed regression from v13 in linkify inline rule. Specific patterns could
    cause high CPU use. Thanks to @​ltduc147 for report.

v14.1.0

Compare Source

Changed
  • Updated CM spec compatibility to 0.31.2, #​1009.
Fixed
  • Fixed quadratic complexity when parsing references, #​996.
  • Fixed quadratic output size with pathological user input in tables, #​1000.

v14.0.0

Compare Source

Changed
  • Drop ancient browsers support (use .fromCodePoint and other features).
  • Rewrite to ESM (including all plugins/deps). CJS fallback still available.
    No signatures changed, except markdown-it-emoji plugin.
  • Dropped dist/ folder from repo, build on package publish.
  • Set punicode.js as external dependency.
Fixed
  • Html tokens inside img alt are now rendered as their original text, #​896.
  • Hardbreaks inside img alt are now rendered as newlines.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@changeset-bot
Copy link

changeset-bot bot commented Feb 14, 2026

⚠️ No Changeset found

Latest commit: b1e7857

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants