Skip to content

Update mdast-util-to-hast version to 13.2.1 #935

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
arnlaugsson wants to merge 1 commit into from
Closed

Update mdast-util-to-hast version to 13.2.1 #935

arnlaugsson wants to merge 1 commit into from
+1 −1

Conversation

@arnlaugsson
Copy link

@arnlaugsson arnlaugsson commented Dec 8, 2025

Initial checklist

  • I read the support docs
  • I read the contributing guide
  • I agree to follow the code of conduct
  • I searched issues and discussions and couldn’t find anything or linked relevant results below
  • I made sure the docs are up to date
  • I included tests (or that’s not needed)

Description of changes

Addressing a Medium vulnerability CVE-2025-66400: mdast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user-supplied markdown code elements appear like the rest of the page. This vulnerability is fixed in 13.2.1.

@arnlaugsson
Update mdast-util-to-hast version to 13.2.1
df906fe 
CVE-2025-66400: mdast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user-supplied markdown code elements appear like the rest of the page. This vulnerability is fixed in 13.2.1.

Medium Vulnerability.

Signed-off-by: Skúli Arnlaugsson <[email protected]>
@github-actions github-actions bot added 👋 phase/new Post is being triaged automatically 🤞 phase/open Post is being triaged manually and removed 👋 phase/new Post is being triaged automatically labels Dec 8, 2025
@codecov
Copy link

codecov bot commented Dec 8, 2025

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (fda7fa5) to head (df906fe).

Additional details and impacted files 
@@            Coverage Diff            @@
##              main      #935   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            3         3           
  Lines         1743      1743           
  Branches       123       123           
=========================================
  Hits          1743      1743

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@Murderlon
Copy link
Member

Murderlon commented Dec 8, 2025

See: #933 (comment)

@Murderlon Murderlon added 🤷 no/invalid This cannot be acted upon 👎 phase/no Post cannot or will not be acted on and removed 🤞 phase/open Post is being triaged manually labels Dec 8, 2025
@github-actions github-actions bot closed this Dec 8, 2025
@github-actions
Copy link

github-actions bot commented Dec 8, 2025

Hi! This was closed. Team: If this was merged, please describe when this is likely to be released. Otherwise, please add one of the no/* labels.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

🤷 no/invalid This cannot be acted upon 👎 phase/no Post cannot or will not be acted on

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@arnlaugsson @Murderlon