Skip to content

Update dependency markdown-it to v14.1.1 [SECURITY] (master)#2579

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/master-npm-markdown-it-vulnerability
Open

Update dependency markdown-it to v14.1.1 [SECURITY] (master)#2579
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/master-npm-markdown-it-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 13, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
markdown-it 14.1.014.1.1 age confidence

markdown-it is has a Regular Expression Denial of Service (ReDoS)

CVE-2026-2327 / GHSA-38c4-r59v-3vqw

More information

Details

Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character, which triggers excessive backtracking and may lead to a denial-of-service condition.

Severity

  • CVSS Score: 5.5 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

markdown-it/markdown-it (markdown-it)

v14.1.1

Compare Source

Security
  • Fixed regression from v13 in linkify inline rule. Specific patterns could
    cause high CPU use. Thanks to @​ltduc147 for report.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/master-npm-markdown-it-vulnerability branch 2 times, most recently from 3823f2c to 462c784 Compare April 16, 2026 08:28
@renovate renovate Bot force-pushed the renovate/master-npm-markdown-it-vulnerability branch 2 times, most recently from 2d6f108 to 13d2150 Compare April 18, 2026 12:25
@renovate renovate Bot changed the title Update dependency markdown-it to v14.1.1 [SECURITY] (master) Update dependency markdown-it to v14.1.1 [SECURITY] (master) - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot deleted the renovate/master-npm-markdown-it-vulnerability branch April 27, 2026 21:01
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 27, 2026

The following links are for previewing this pull request:

@renovate renovate Bot changed the title Update dependency markdown-it to v14.1.1 [SECURITY] (master) - autoclosed Update dependency markdown-it to v14.1.1 [SECURITY] (master) Apr 28, 2026
@renovate renovate Bot reopened this Apr 28, 2026
@renovate renovate Bot force-pushed the renovate/master-npm-markdown-it-vulnerability branch 2 times, most recently from 13d2150 to be2df0d Compare April 28, 2026 06:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ashmitahaldar ashmitahaldar ashmitahaldar approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ashmitahaldar