Skip to content

[Snyk] Security upgrade markdown-it from 9.1.0 to 14.0.0#100

Open
cjrobbertse-ob wants to merge 1 commit into
masterfrom
snyk-fix-34f38bcbef48311f4b3c294d95862862
Open

[Snyk] Security upgrade markdown-it from 9.1.0 to 14.0.0#100
cjrobbertse-ob wants to merge 1 commit into
masterfrom
snyk-fix-34f38bcbef48311f4b3c294d95862862

Conversation

@cjrobbertse-ob

Copy link
Copy Markdown
Contributor

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

  • package.json
  • yarn.lock

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

Vulnerabilities that will be fixed with an upgrade:

Issue Score
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-LINKIFYIT-17817062
  721  

Breaking Change Risk

Merge Risk: High

Notice: This assessment is enhanced by AI.


Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

@cjrobbertse-ob

Copy link
Copy Markdown
Contributor Author

Merge Risk: High

The upgrade of markdown-it from v9.1.0 to v14.0.0 is a major update spanning five major versions. It introduces significant breaking changes, most notably the transition to an ES Module (ESM) package format.

Key Breaking Changes:

  • ESM Rewrite (v14.0.0): The package has been rewritten to use ES Modules. While a CJS fallback is provided, this can break existing require() statements in Node.js environments or require configuration changes in bundlers and test runners.
  • Plugin and API Incompatibility: Internal APIs and token structures have changed across multiple versions. Plugins written for v9 are unlikely to be compatible with v14. For example:
    • The highlight function signature was changed in v10.0.0 to include a third attrs argument.
    • Table rendering was rewritten in v10.0.0 to align with GFM specifications, which could affect styling and plugins that interact with tables.
    • Internal token handling changed in v13.0.0, which could break custom rules.
  • Browser and Environment Support (v14.0.0): Support for older browsers has been dropped as the library now uses modern JavaScript features.

Recommendation:
This upgrade requires careful migration. Developers must:

  1. Verify their import statements (require vs. import) are compatible with the new ESM-first package.
  2. Review and update all markdown-it plugins to ensure they are compatible with v14.
  3. Test rendering output, especially for tables and code blocks using custom highlighters, as behavior has changed.

Source: Official Changelog

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants