Skip to content

chore(monorepo): update pnpm-workspace.overrides markdown-it to >=14.1.1 [security]#215

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-markdown-it-vulnerability
Open

chore(monorepo): update pnpm-workspace.overrides markdown-it to >=14.1.1 [security]#215
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-markdown-it-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 9, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
markdown-it >=14.1.0>=14.1.1 age confidence

markdown-it is has a Regular Expression Denial of Service (ReDoS)

CVE-2026-2327 / GHSA-38c4-r59v-3vqw

More information

Details

Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character, which triggers excessive backtracking and may lead to a denial-of-service condition.

Severity

  • CVSS Score: 5.5 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

markdown-it/markdown-it (markdown-it)

v14.1.1

Compare Source

Security
  • Fixed regression from v13 in linkify inline rule. Specific patterns could
    cause high CPU use. Thanks to @​ltduc147 for report.

Configuration

📅 Schedule: (in timezone America/New_York)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Upgrade or downgrade of project dependencies. label Apr 9, 2026
@renovate renovate Bot requested a review from a team April 9, 2026 00:34
@renovate renovate Bot requested review from a team and sullivanpj as code owners April 9, 2026 00:34
@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Apr 9, 2026

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

@renovate renovate Bot enabled auto-merge (squash) April 9, 2026 00:34
@renovate renovate Bot added the dependencies Upgrade or downgrade of project dependencies. label Apr 9, 2026
@deepsource-io
Copy link
Copy Markdown

deepsource-io Bot commented Apr 9, 2026
edited
Loading

DeepSource Code Review

We reviewed changes in 242a5a8...0770a6f on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade   Security  

Reliability  

Complexity  

Hygiene  

Code Review Summary

Analyzer Status Updated (UTC) Details
JavaScript May 18, 2026 12:37p.m. Review ↗
Shell May 18, 2026 12:37p.m. Review ↗

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.

@renovate renovate Bot changed the title chore(monorepo): update pnpm-workspace.overrides markdown-it to >=14.1.1 [security] chore(monorepo): update pnpm-workspace.overrides markdown-it to >=14.1.1 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
auto-merge was automatically disabled April 27, 2026 17:55

Pull request was closed

@renovate renovate Bot deleted the renovate/npm-markdown-it-vulnerability branch April 27, 2026 17:55
@renovate renovate Bot changed the title chore(monorepo): update pnpm-workspace.overrides markdown-it to >=14.1.1 [security] - autoclosed chore(monorepo): update pnpm-workspace.overrides markdown-it to >=14.1.1 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-markdown-it-vulnerability branch 3 times, most recently from fb1f18f to 0dabef2 Compare April 29, 2026 09:38
@renovate renovate Bot enabled auto-merge (squash) April 29, 2026 09:38
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 29, 2026
edited
Loading

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

@renovate renovate Bot force-pushed the renovate/npm-markdown-it-vulnerability branch from 0dabef2 to 955e7ec Compare May 12, 2026 10:16
@renovate renovate Bot force-pushed the renovate/npm-markdown-it-vulnerability branch from 955e7ec to 0770a6f Compare May 18, 2026 12:36
@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 18, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addeddefu@​6.1.41008510086100
Addedtslib@​2.8.110010010085100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sullivanpj sullivanpj Awaiting requested review from sullivanpj sullivanpj is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Upgrade or downgrade of project dependencies.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants