Update dependency prismjs to v1.30.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
prismjs	1.29.0 → 1.30.0

---

PrismJS DOM Clobbering vulnerability

CVE-2024-53382 / GHSA-x7hr-w5r2-h6wg

More information

Details

Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.

Severity

• CVSS Score: 4.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-53382
• https://gist.github.com/jackfromeast/aeb128e44f05f95828a1a824708df660
• https://github.com/PrismJS/prism/blob/59e5a3471377057de1f401ba38337aca27b80e03/prism.js#L226-L259
• https://github.com/PrismJS/prism/pull/3863
• https://github.com/PrismJS/prism/commit/8e8b9352dac64457194dd9e51096b4772532e53d
• https://github.com/advisories/GHSA-x7hr-w5r2-h6wg

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

PrismJS/prism (prismjs)

v1.30.0

Compare Source

What's Changed

• check that currentScript is set by a script tag by @​lkuechler in #​3863

New Contributors

• @​lkuechler made their first contribution in #​3863

Full Changelog: PrismJS/prism@v1.29.0...v1.30.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.