fix(deps): update dependency katex to v0.16.21 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
katex (source)	0.16.10 -> 0.16.21

GitHub Vulnerability Alerts

CVE-2025-23207

Impact

KaTeX users who render untrusted mathematical expressions with renderToString could encounter malicious input using \htmlData that runs arbitrary JavaScript, or generate invalid HTML.

Patches

Upgrade to KaTeX v0.16.21 to remove this vulnerability.

Workarounds

• Avoid use of or turn off the trust option, or set it to forbid \htmlData commands.
• Forbid inputs containing the substring "\\htmlData".
• Sanitize HTML output from KaTeX.

Details

\htmlData did not validate its attribute name argument, allowing it to generate invalid or malicious HTML that runs scripts.

For more information

If you have any questions or comments about this advisory:

• Open an issue or security advisory in the KaTeX repository
• Email us at [email protected]

---

Release Notes

KaTeX/KaTeX (katex)

v0.16.21

Compare Source

Bug Fixes

• escape \htmlData attribute name (57914ad)

v0.16.20

Compare Source

Bug Fixes

• \providecommand does not overwrite existing macro (#​4000) (6d30fe4), closes #​3928

v0.16.19

Compare Source

Bug Fixes

• types: improve strict function type (#​4009) (4228b4e)

v0.16.18

Compare Source

Bug Fixes

• Actually publish TypeScript type definitions (#​4008) (629b873)

v0.16.17

Compare Source

Bug Fixes

• MathML combines multidigit numbers with sup/subscript, comma separators, and multicharacter text when outputting to DOM (#​3999) (7d79e22), closes #​3995

v0.16.16

Compare Source

Features

• ESM exports, TypeScript types (#​3992) (ea9c173)

v0.16.15

Compare Source

Features

• italic sans-serif in math mode via \mathsfit command (#​3998) (2218901)

v0.16.14

Compare Source

Features

• \dddot and \ddddot support (#​3834) (bda35cd), closes #​2744

v0.16.13

Compare Source

Bug Fixes

• \vdots and \rule support in text mode (#​3997) (0e08352), closes #​3990

v0.16.12

Compare Source

Features

• css: configurable margin for display math (#​3638) (3405001)

v0.16.11

Compare Source

Features

• add \emph (#​3963) (9f34da4), closes #​3566

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report↗︎

[socket-security]

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher

🚮 Removed packages: npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected]

View full report↗︎