[Security] Bump prismjs from 1.23.0 to 1.24.0 #134

dependabot-preview · 2021-06-28T18:43:50Z

Bumps prismjs from 1.23.0 to 1.24.0. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Regular Expression Denial of Service (ReDoS) in Prism Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS).

Impact

When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. Do not use the following languages to highlight untrusted text.

ASCIIDoc

ERB

Other languages are not affected and can be used to highlight untrusted text.

Patches

This problem has been fixed in Prism v1.24.

References

Updated refa + fixed 2 cases of exponential backtracking PrismJS/prism#2774

Tests: Exhaustive pattern tests PrismJS/prism#2688

Affected versions: < 1.24.0

Release notes

Sourced from prismjs's releases.

v1.24.0

Release 1.24.0

Changelog

Sourced from prismjs's changelog.

1.24.0 (2021-06-27)

New components

CFScript (#2771) b0a6ec85

ChaiScript (#2706) 3f7d7453

COBOL (#2800) 7e5f78ff

Coq (#2803) 41e25d3c

CSV (#2794) f9b69528

DOT (Graphviz) (#2690) 1f91868e

False (#2802) 99a21dc5

ICU Message Format (#2745) bf4e7ba9

Idris (#2755) e9314415

Jexl (#2764) 7e51b99c

KuMir (КуМир) (#2760) 3419fb77

Log file (#2796) 2bc6475b

Nevod (#2798) f84c49c5

OpenQasm (#2797) 1a2347a3

PATROL Scripting Language (#2739) 18c67b49

Q# (#2804) 1b63cd01

Rego (#2624) e38986f9

Squirrel (#2721) fd1081d2

URI (#2708) bbc77d19

V (#2687) 72962701

Wolfram language & Mathematica & Mathematica Notebook (#2921) c4f6b2cc

Updated components

Fixed problems reported by regexp/no-dupe-disjunctions (#2952) f471d2d7

Fixed some cases of quadratic worst-case runtime (#2922) 79d22182

Fixed 2 cases of exponential backtracking (#2774) d85e30da

AQL

Update for ArangoDB 3.8 (#2842) ea82478d

AutoHotkey

Improved tag pattern (#2920) fc2a3334

Bash

Accept hyphens in function names (#2832) e4ad22ad

Fixed single-quoted strings (#2792) e5cfdb4a

C++

Added support for generic functions and made :: punctuation (#2814) 3df62fd0

Added missing keywords and modules (#2763) 88fa72cf

Dart

Improved support for classes & generics (#2810) d0bcd074

Docker

Improvements (#2720) 93dd83c2

Elixir

Added missing keywords (#2958) 114e4626

Added missing keyword and other improvements (#2773) e6c0d298

Added defdelagate keyword and highlighting for function/module names (#2709) 59f725d7

F#

... (truncated)

Commits

3432b4b 1.24.0
46d0720 Updated .npmignore (#2971)
aef7f08 Changelog for v1.24.0 (#2965)
e9477d8 Markdown: Improved code snippets (#2967)
4b55bd6 Made Match Braces and Custom Class compatible (#2947)
e8d3b50 ESLint: Added regexp/strict rule (#2944)
bfd7fde GraphQL: Fixed definition-query and definition-mutation tokens (#2964)
14e3868 Fixed reST test
a7656de reST: Fixed inline pattern (#2946)
b4ac061 ESLint: Use cache (#2959)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by rundevelopment, a new releaser for prismjs since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in the .dependabot/config.yml file in this repo:

Update frequency
Out-of-range updates (receive only lockfile updates, if desired)
Security updates (receive only security updates, if desired)

Bumps [prismjs](https://github.com/PrismJS/prism) from 1.23.0 to 1.24.0. **This update includes a security fix.** - [Release notes](https://github.com/PrismJS/prism/releases) - [Changelog](https://github.com/PrismJS/prism/blob/master/CHANGELOG.md) - [Commits](PrismJS/prism@v1.23.0...v1.24.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

dependabot-preview bot added dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability labels Jun 28, 2021

dependabot-preview bot force-pushed the dependabot/npm_and_yarn/prismjs-1.24.0 branch from e877ce7 to 304e26d Compare July 14, 2021 11:56

github-actions bot added the PR: out-of-date label Jan 11, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security] Bump prismjs from 1.23.0 to 1.24.0 #134

[Security] Bump prismjs from 1.23.0 to 1.24.0 #134

dependabot-preview bot commented Jun 28, 2021 •

edited

Loading

[Security] Bump prismjs from 1.23.0 to 1.24.0 #134

Are you sure you want to change the base?

[Security] Bump prismjs from 1.23.0 to 1.24.0 #134

Conversation

dependabot-preview bot commented Jun 28, 2021 • edited Loading

Impact

Patches

References

v1.24.0

1.24.0 (2021-06-27)

New components

Updated components

dependabot-preview bot commented Jun 28, 2021 •

edited

Loading