fix(deps): update dependency prismjs to v1.25.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
prismjs	1.15.0 -> 1.25.0

GitHub Vulnerability Alerts

CVE-2020-15138

Impact

The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer.

This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the Previewers plugin (>=v1.10.0) or the Previewer: Easing plugin (v1.1.0 to v1.9.0).

Patches

This problem is patched in v1.21.0.

Workarounds

To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.

References

The vulnerability was introduced by this commit on Sep 29, 2015 and fixed by Masato Kinugawa (#​2506).

For more information

If you have any questions or comments about this advisory, please open an issue.

CVE-2021-23341

The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.

CVE-2021-32723

Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS).

Impact

When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. Do not use the following languages to highlight untrusted text.

• ASCIIDoc
• ERB

Other languages are not affected and can be used to highlight untrusted text.

Patches

This problem has been fixed in Prism v1.24.

References

• PrismJS/prism#​2774
• PrismJS/prism#​2688

CVE-2021-3801

The prismjs package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide a crafted HTML comment as input may cause an application to consume an excessive amount of CPU.

---

Release Notes

PrismJS/prism

v1.25.0

Compare Source

New components

• AviSynth (#​3071) 746a4b1a
• Avro IDL (#​3051) 87e5a376
• Bicep (#​3027) c1dce998
• GAP (CAS) (#​3054) 23cd9b65
• GN (#​3062) 4f97b82b
• Hoon (#​2978) ea776756
• Kusto (#​3068) e008ea05
• Magma (CAS) (#​3055) a1b67ce3
• MAXScript (#​3060) 4fbdd2f8
• Mermaid (#​3050) 148c1eca
• Razor C# (#​3064) 4433ccfc
• Systemd configuration file (#​3053) 8df825e0
• Wren (#​3063) 6a356d25

Updated components

• Bicep
  • Added support for multiline and interpolated strings and other improvements (#​3028) 748bb9ac
• C#
  • Added with keyword & improved record support (#​2993) fdd291c0
  • Added record, init, and nullable keyword (#​2991) 9b561565
  • Added context check for from keyword (#​2970) 158f25d4
• C++
  • Fixed generic function false positive (#​3043) 5de8947f
• Clojure
  • Improved tokenization (#​3056) 8d0b74b5
• Hoon
  • Fixed mixed-case aura tokenization (#​3002) 9c8911bd
• Liquid
  • Added all objects from Shopify reference (#​2998) 693b7433
  • Added empty keyword (#​2997) fe3bc526
• Log file
  • Added support for Java stack traces (#​3003) b0365e70
• Markup
  • Made most patterns greedy (#​3065) 52e8cee9
  • Fixed ReDoS (#​3078) 0ff371bb
• PureScript
  • Made ∀ a keyword (alias for forall) (#​3005) b38fc89a
  • Improved Haskell and PureScript (#​3020) 679539ec
• Python
  • Support for underscores in numbers (#​3039) 6f5d68f7
• Sass
  • Fixed issues with CSS Extras (#​2994) 14fdfe32
• Shell session
  • Fixed command false positives (#​3048) 35b88fcf
  • Added support for the percent sign as shell symbol (#​3010) 4492b62b
• Swift
  • Major improvements (#​3022) 8541db2e
  • Added support for @propertyWrapper, @MainActor, and @globalActor (#​3009) ce5e0f01
  • Added support for new Swift 5.5 keywords (#​2988) bb93fac0
• TypeScript
  • Fixed keyword false positives (#​3001) 212e0ef2

Updated plugins

• JSONP Highlight
  • Refactored JSONP logic (#​3018) 5126d1e1
• Line Highlight
  • Extend highlight to full line width inside scroll container (#​3011) e289ec60
• Normalize Whitespace
  • Removed unnecessary checks (#​3017) 63edf14c
• Previewers
  • Ensure popup is visible across themes (#​3080) c7b6a7f6

Updated themes

• Twilight
  • Increase selector specificities of plugin overrides (#​3081) ffb20439

Other

• Infrastructure
  • Added benchmark suite (#​2153) 44456b21
  • Tests: Insert expected JSON by Default (#​2960) e997dd35
  • Tests: Improved dection of empty patterns (#​3058) d216e602
• Website
  • Highlight Keywords: More documentation (#​3049) 247fd9a3

v1.24.1

Compare Source

Updated components

• Markdown
  • Fixed Markdown not working in NodeJS (#​2977) 151121cd

Updated plugins

• Toolbar
  • Fixed styles being applies to nested elements (#​2980) 748ecddc

v1.24.0

Compare Source

New components

• CFScript (#​2771) b0a6ec85
• ChaiScript (#​2706) 3f7d7453
• COBOL (#​2800) 7e5f78ff
• Coq (#​2803) 41e25d3c
• CSV (#​2794) f9b69528
• DOT (Graphviz) (#​2690) 1f91868e
• False (#​2802) 99a21dc5
• ICU Message Format (#​2745) bf4e7ba9
• Idris (#​2755) e9314415
• Jexl (#​2764) 7e51b99c
• KuMir (КуМир) (#​2760) 3419fb77
• Log file (#​2796) 2bc6475b
• Nevod (#​2798) f84c49c5
• OpenQasm (#​2797) 1a2347a3
• PATROL Scripting Language (#​2739) 18c67b49
• Q# (#​2804) 1b63cd01
• Rego (#​2624) e38986f9
• Squirrel (#​2721) fd1081d2
• URI (#​2708) bbc77d19
• V (#​2687) 72962701
• Wolfram language & Mathematica & Mathematica Notebook (#​2921) c4f6b2cc

Updated components

• Fixed problems reported by regexp/no-dupe-disjunctions (#​2952) f471d2d7
• Fixed some cases of quadratic worst-case runtime (#​2922) 79d22182
• Fixed 2 cases of exponential backtracking (#​2774) d85e30da
• AQL
  • Update for ArangoDB 3.8 (#​2842) ea82478d
• AutoHotkey
  • Improved tag pattern (#​2920) fc2a3334
• Bash
  • Accept hyphens in function names (#​2832) e4ad22ad
  • Fixed single-quoted strings (#​2792) e5cfdb4a
• C++
  • Added support for generic functions and made :: punctuation (#​2814) 3df62fd0
  • Added missing keywords and modules (#​2763) 88fa72cf
• Dart
  • Improved support for classes & generics (#​2810) d0bcd074
• Docker
  • Improvements (#​2720) 93dd83c2
• Elixir
  • Added missing keywords (#​2958) 114e4626
  • Added missing keyword and other improvements (#​2773) e6c0d298
  • Added defdelagate keyword and highlighting for function/module names (#​2709) 59f725d7
• F#
  • Fixed comment false positive (#​2703) a5d7178c
• GraphQL
  • Fixed definition-query and definition-mutation tokens (#​2964) bfd7fded
  • Added more detailed tokens (#​2939) 34f24ac9
• Handlebars
  • Added hbs alias (#​2874) 43976351
• HTTP
  • Fixed body not being highlighted (#​2734) 1dfc8271
  • More granular tokenization (#​2722) 6183fd9b
  • Allow root path in request line (#​2711) 4e7b2a82
• Ini
  • Consistently mimic Win32 INI parsing (#​2779) 42d24fa2
• Java
  • Improved generics (#​2812) 4ec7535c
• JavaScript
  • Added support for import assertions (#​2953) ab7c9953
  • Added support for RegExp Match Indices (#​2900) 415651a0
  • Added hashbang and private getters/setters (#​2815) 9c610ae6
  • Improved contextual keywords (#​2713) 022f90a0
• JS Templates
  • Added SQL templates (#​2945) abab9104
• JSON
  • Fixed backtracking issue in Safari (#​2691) cf28d1b2
• Liquid
  • Added Markup support, missing tokens, and other improvements (#​2950) ac1d12f9
• Log file
  • Minor improvements (#​2851) 45ec4a88
• Markdown
  • Improved code snippets (#​2967) e9477d83
  • Workaround for incorrect highlighting due to double wrap hook (#​2719) 2b355c98
• Markup
  • Added support for DOM event attributes (#​2702) 8dbbbb35
• nginx
  • Complete rewrite (#​2793) 5943f4cb
• PHP
  • Fixed functions with namespaces (#​2889) 87d79390
  • Fixed string interpolation (#​2864) cf3755cb
  • Added missing PHP 7.4 fn keyword (#​2858) e0ee93f1
  • Fixed methods with keyword names + minor improvements (#​2818) 7e8cd40d
  • Improved constant support for PHP 8.1 enums (#​2770) 8019e2f6
  • Added support for PHP 8.1 enums (#​2752) f79b0eef
  • Class names at the start of a string are now highlighted correctly (#​2731) 04ef309c
  • Numeral syntax improvements (#​2701) 01af04ed
• React JSX
  • Added support for general spread expressions (#​2754) 9f59f52d
  • Added support for comments inside tags (#​2728) 30b0444f
• reST (reStructuredText)
  • Fixed inline pattern (#​2946) a7656de6
• Ruby
  • Added heredoc literals (#​2885) 20b77bff
  • Added missing regex flags (#​2845) 3786f396
  • Added missing regex interpolation (#​2841) f08c2f7f
• Scheme
  • Added support for high Unicode characters (#​2693) 0e61a7e1
  • Added bracket support (#​2813) 1c6c0bf3
• Shell session
  • Fixed multi-line commands (#​2872) cda976b1
  • Commands prefixed with a path are now detected (#​2686) c83fd0b8
• SQL
  • Added ILIKE operator (#​2704) 6e34771f
• Swift
  • Added some keyword (#​2756) cf354ef5
• TypeScript
  • Updated keywords (#​2861) fe98d536
  • Added support for decorators (#​2820) 31cc2142
• VB.Net
  • Improved strings, comments, and punctuation (#​2782) a68f1fb6
• Xojo (REALbasic)
  • REM is no longer highlighted as a keyword in comments (#​2823) ebbbfd47
  • Added last missing Keyword "Selector" (#​2807) e32e043b
  • Added missing keywords (#​2805) 459365ec

Updated plugins

• Made Match Braces and Custom Class compatible (#​2947) 4b55bd6a
• Consistent Prism check (#​2788) 96335642
• Command Line
  • Don't modify empty code blocks (#​2896) c81c3319
• Copy to Clipboard
  • Removed ClipboardJS dependency (#​2784) d5e14e1a
  • Fixed clipboard.writeText not working inside iFrames (#​2826) 01b7b6f7
  • Added support for custom styles (#​2789) 4d7f75b0
  • Make copy-to-clipboard configurable with multiple attributes (#​2723) 2cb909e1
• File Highlight
  • Fixed Prism check (#​2827) 53d34b22
• Line Highlight
  • Fixed linkable line numbers not being initialized (#​2732) ccc73ab7
• Previewers
  • Use classList instead of className (#​2787) d298d46e

Other

• Core
  • Add tabindex to code blocks to enable keyboard navigation (#​2799) dbf70515
  • Fixed greedy rematching reach bug (#​2705) b37987d3
  • Added support for plaintext (#​2738) 970674cf
• Infrastructure
  • Added ESLint
  • Added npm-run-all to clean up test command (#​2938) 5d3d8088
  • Added link to Q&A to issue templates (#​2834) 7cd9e794
  • CI: Run tests with NodeJS 16.x (#​2888) b77317c5
  • Dangerfile: Trim merge base (#​2761) 45b0e82a
  • Dangerfile: Fixed how changed files are determined (#​2757) 0feb266f
  • Deps: Updated regex tooling (#​2923) ad9878ad
  • Tests: Added --language for patterns tests (#​2929) a62ef796
  • Tests: Fixed polynomial backtracking test (#​2891) 8dbf1217
  • Tests: Fixed languages test discovery a9a199b6
  • Tests: Test discovery should ignore unsupported file extensions (#​2886) 4492c5ce
  • Tests: Exhaustive pattern tests (#​2688) 53151404
  • Tests: Fixed pretty print incorrectly calculating print width (#​2821) 5bc405e7
  • Tests: Automatically normalize line ends (#​2934) 99f3ddcd
  • Tests: Added --insert and --update parameters to language test (#​2809) 4c8b855d
  • Tests: Stricter components.json tests (#​2758) 933af805
• Website
  • Copy to clipboard: Fixed highlighting (#​2725) 7a790bf9
  • Readme: Mention npm ci (#​2899) 91f3aaed
  • Readme: Added Node and npm version requirements (#​2790) cb220168
  • Readme: Update link to Chinese translation (#​2749) 266cc700
  • Replace my.cdn in code sample with Handlebars-like placeholder (#​2906) 80471181
  • Set dummy domain for CDN (#​2905) 38f1d289
  • Added MySQL to "Used by" section (#​2785) 9b784ebf
  • Improved basic usage section (#​2777) a1209930
  • Updated URL in Autolinker example (#​2751) ec9767d6
  • Added React native tutorial (#​2683) 1506f345

v1.23.0

Compare Source

New components

• Apex (#​2622) f0e2b70e
• DataWeave (#​2659) 0803525b
• PromQL (#​2628) 8831c706

Updated components

• Fixed multiple vulnerable regexes (#​2584) c2f6a644
• Apache Configuration
  • Update directive-flag to match = (#​2612) 00bf00e3
• C-like
  • Made all comments greedy (#​2680) 0a3932fe
• C
  • Better class name and macro name detection (#​2585) 129faf5c
• Content-Security-Policy
  • Added missing directives and keywords (#​2664) f1541342
  • Do not highlight directive names with adjacent hyphens (#​2662) a7ccc16d
• CSS
  • Better HTML style attribute tokenization (#​2569) b04cbafe
• Java
  • Improved package and class name detection (#​2599) 0889bc7c
  • Added Java 15 keywords (#​2567) 73f81c89
• Java stack trace
  • Added support stack frame element class loaders and modules (#​2658) 0bb4f096
• Julia
  • Removed constants that are not exported by default (#​2601) 093c8175
• Kotlin
  • Added support for backticks in function names (#​2489) a5107d5c
• Latte
  • Fixed exponential backtracking (#​2682) 89f1e182
• Markdown
  • Improved URL tokenization (#​2678) 2af3e2c2
  • Added support for YAML front matter (#​2634) 5cf9cfbc
• PHP
  • Added support for PHP 7.4 + other major improvements (#​2566) 38808e64
  • Added support for PHP 8.0 features (#​2591) df922d90
  • Removed C-like dependency (#​2619) 89ebb0b7
  • Fixed exponential backtracking (#​2684) 37b9c9a1
• Sass (Scss)
  • Added support for Sass modules (#​2643) deb238a6
• Scheme
  • Fixed number pattern (#​2648) e01ecd00
  • Fixed function and function-like false positives (#​2611) 7951ca24
• Shell session
  • Fixed false positives because of links in command output (#​2649) 8e76a978
• TSX
  • Temporary fix for the collisions of JSX tags and TS generics (#​2596) 25bdb494

Updated plugins

• Made Autoloader and Diff Highlight compatible (#​2580) 7a74497a
• Copy to Clipboard Button
  • Set type="button" attribute for copy to clipboard plugin (#​2593) f59a85f1
• File Highlight
  • Fixed IE compatibility problem (#​2656) 3f4ae00d
• Line Highlight
  • Fixed top offset in combination with Line numbers (#​2237) b40f8f4b
  • Fixed print background color (#​2668) cdb24abe
• Line Numbers
  • Fixed null reference (#​2605) 7cdfe556
• Treeview
  • Fixed icons on dark themes (#​2631) 7266e32f
• Unescaped Markup
  • Refactoring (#​2445) fc602822

Other

• Readme: Added alternative link for Chinese translation 071232b4
• Readme: Removed broken icon for Chinese translation (#​2670) 2ea202b9
• Readme: Grammar adjustments (#​2629) f217ab75
• Core
  • Moved pattern matching + lookbehind logic into function (#​2633) 24574406
  • Fixed bug with greedy matching (#​2632) 8fa8dd24
• Infrastructure
  • Migrate from TravisCI -> GitHub Actions (#​2606) 69132045
  • Added Dangerfile and provide bundle size info (#​2608) 9df20c5e
  • New start script to start local server (#​2491) 0604793c
  • Added test for exponential backtracking (#​2590) 05afbb10
  • Added test for polynomial backtracking (#​2597) e644178b
  • Tests: Better pretty print (#​2600) 8bfcc819
  • Tests: Fixed sorted language list test (#​2623) 2d3a1267
  • Tests: Stricter pattern for nice-token-names test (#​2588) 0df60be1
  • Tests: Added strict checks for Prism.languages.extend (#​2572) 8828500e
• Website
  • Test page: Added "Share" option (#​2575) b5f4f10e
  • Test page: Don't trigger ad-blockers with class (#​2677) df0738e9
  • Thousands -> millions 9f82de50
  • Unescaped Markup: More doc regarding comments (#​2652) add3736a
  • Website: Added and updated documentation (#​2654) 8e660495
  • Website: Updated and improved guide on "Extending Prism" page (#​2586) 8e1f38ff

v1.22.0

Compare Source

New components

• Birb (#​2542) 4d31e22a
• BSL (1C:Enterprise) & OneScript (#​2520) 5c33f0bb
• MongoDB (#​2518) 004eaa74
• Naninovel Script (#​2494) 388ad996
• PureScript (#​2526) ad748a00
• SML & SML/NJ (#​2537) cb75d9e2
• Stan (#​2490) 2da2beba
• TypoScript & TSConfig (#​2505) bf115f47

Updated components

• Removed duplicate alternatives in various languages (#​2524) fa2225ff
• Haskell
  • Improvements (#​2535) e023044c
• JS Extras
  • Highlight import and export bindings (#​2533) c51ababb
  • Added control-flow keywords (#​2529) bcef22af
• PHP
  • Added match keyword (PHP 8.0) (#​2574) 1761513e
• Processing
  • Fixed function pattern (#​2564) 35cbc02f
• Regex
  • Changed how languages embed regexes (#​2532) f62ca787
• Rust
  • Fixed Unicode char literals (#​2550) 3b4f14ca
• Scheme
  • Added support for R7RS syntax (#​2525) e4f6ccac
• Shell session
  • Added aliases (#​2548) bfb36748
  • Highlight all commands after the start of any Heredoc string (#​2509) 6c921801
• YAML
  • Improved key pattern (#​2561) 59853a52

Updated plugins

• Autoloader
  • Fixed file detection regexes (#​2549) d36ea993
• Match braces
  • Fixed JS interpolation punctuation (#​2541) 6b47133d
• Show Language
  • Added title for plain text (#​2555) a409245e

Other

• Tests: Added an option to accept the actual token stream (#​2515) bafab634
• Core
  • Docs: Minor improvement (#​2513) 206dc80f
• Infrastructure
  • JSDoc: Fixed line ends (#​2523) bf169e5f
• Website
  • Website: Added new SB101 tutorial replacing the Crambler one (#​2576) 655f985c
  • Website: Fix typo on homepage by adding missing word add (#​2570) 8ae6a4ba
  • Custom class: Improved doc (#​2512) 5ad6cb23

v1.21.0

Compare Source

New components

• .ignore & .gitignore & .hgignore & .npmignore (#​2481) 3fcce6fe
• Agda (#​2430) 3a127c7d
• AL (#​2300) de21eb64
• Cypher (#​2459) 398e2943
• Dhall (#​2473) 649e51e5
• EditorConfig (#​2471) ed8fff91
• HLSL (#​2318) 87a5c7ae
• JS stack trace (#​2418) ae0327b3
• PeopleCode (#​2302) bd4d8165
• PureBasic (#​2369) d0c1c70d
• Racket (#​2315) 053016ef
• Smali (#​2419) 22eb5cad
• Structured Text (IEC 61131-3) (#​2311) 8704cdfb
• UnrealScript (#​2305) 1093ceb3
• WarpScript (#​2307) cde5b0fa
• XML doc (.net) (#​2340) caec5e30
• YANG (#​2467) ed1df1e1

Updated components

• Markup & JSON: Added new aliases (#​2390) 9782cfe6
• Fixed several cases of exponential backtracking (#​2268) 7a554b5f
• APL
  • Added ⍥ (#​2409) 0255cb6a
• AutoHotkey
  • Added missing format built-in (#​2450) 7c66cfc4
  • Improved comments and other improvements (#​2412) ddf3cc62
  • Added missing definitions (#​2400) 4fe03676
• Bash
  • Added composer command (#​2298) 044dd271
• Batch
  • Fix escaped double quote (#​2485) f0f8210c
• C
  • Improved macros and expressions (#​2440) 8a72fa6f
  • Improved macros (#​2320) fdcf7ed2
• C#
  • Improved pattern matching (#​2411) 7f341fc1
  • Fixed adjacent string interpolations (#​2402) 2a2e79ed
• C++
  • Added support for default comparison operator (#​2426) 8e9d161c
  • Improved class name detection (#​2348) e3fe9040
  • Fixed enum class class names (#​2342) 30b4e254
• Content-Security-Policy
  • Fixed directives (#​2461) 537a9e80
• CSS
  • Improved url and added keywords (#​2432) 964de5a1
• CSS Extras
  • Optimized class and id patterns (#​2359) fdbc4473
  • Renamed attr-{name,value} tokens and added tokens for combinators and selector lists (#​2373) e523f5d0
• Dart
  • Added missing keywords (#​2355) 4172ab6f
• Diff
  • Added prefix token (#​2281) fd432a5b
• Docker
  • Fixed strings inside comments (#​2428) 37273a6f
• EditorConfig
  • Trim spaces before key and section title (#​2482) 0c30c582
• EJS
  • Added eta alias (#​2282) 0cfb6c5f
• GLSL
  • Improvements (#​2321) 33e49956
• GraphQL
  • Added missing keywords (#​2407) de8ed16d
  • Added support for multi-line strings and descriptions (#​2406) 9e64c62e
• Io
  • Fixed operator pattern (#​2365) d6055771
• Java
  • Fixed namespace token (#​2295) 62e184bb
• JavaDoc
  • Improvements (#​2324) 032910ba
• JavaScript
  • Improved regex detection (#​2465) 4f55052f
  • Improved get/set and parameter detection (#​2387) ed715158
  • Added support for logical assignment operators (#​2378) b28f21b7
• JSDoc
  • Improvements (#​2466) 2805ae35
• JSON
  • Greedy comments (#​2479) 158caf52
• Julia
  • Improved strings, comments, and other patterns (#​2363) 81cf2344
• Kotlin
  • Added kt and kts aliases (#​2474) 67f97e2e
• Markup
  • Added tokens inside DOCTYPE (#​2349) 9c7bc820
  • Added attr-equals alias for the attribute = sign (#​2350) 96a0116e
  • Added alias for named entities (#​2351) ab1e34ae
  • Added support for SSML (#​2306) eb70070d
• Objective-C
  • Added objc alias (#​2331) 67c6b7af
• PowerShell
  • New functions pattern bases on naming conventions (#​2301) fec39bcf
• Protocol Buffers
  • Added

---

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.