Update dependency prismjs to v1.30.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
prismjs	1.15.0 -> 1.30.0

GitHub Vulnerability Alerts

CVE-2020-15138

Impact

The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer.

This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the Previewers plugin (>=v1.10.0) or the Previewer: Easing plugin (v1.1.0 to v1.9.0).

Patches

This problem is patched in v1.21.0.

Workarounds

To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.

References

The vulnerability was introduced by this commit on Sep 29, 2015 and fixed by Masato Kinugawa (#​2506).

For more information

If you have any questions or comments about this advisory, please open an issue.

CVE-2021-23341

The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.

CVE-2021-32723

Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS).

Impact

When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. Do not use the following languages to highlight untrusted text.

• ASCIIDoc
• ERB

Other languages are not affected and can be used to highlight untrusted text.

Patches

This problem has been fixed in Prism v1.24.

References

• Updated refa + fixed 2 cases of exponential backtracking PrismJS/prism#2774
• Tests: Exhaustive pattern tests PrismJS/prism#2688

CVE-2021-3801

Prism is a syntax highlighting library. The prismjs package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide a crafted HTML comment as input may cause an application to consume an excessive amount of CPU.

CVE-2022-23647

Impact

Prism's Command line plugin can be used by attackers to achieve an XSS attack. The Command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code.

Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted.

Patches

This bug has been fixed in v1.27.0.

Workarounds

Do not use the Command line plugin on untrusted inputs, or sanitized all code blocks (remove all HTML code text) from all code blocks that use the Command line plugin.

References

• https://github.com/PrismJS/prism/pull/3341

CVE-2024-53382

Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.

---

Release Notes

PrismJS/prism (prismjs)

v1.30.0

Compare Source

What's Changed

• check that currentScript is set by a script tag by @​lkuechler in #​3863

New Contributors

• @​lkuechler made their first contribution in #​3863

Full Changelog: PrismJS/prism@v1.29.0...v1.30.0

v1.29.0

Compare Source

New components

• BBj (#​3511) 1134bdfc
• BQN (#​3515) 859f99a0
• Cilk/C & Cilk/C++ (#​3522) c8462a29
• Gradle (#​3443) 32119823
• METAFONT (#​3465) 2815f699
• WGSL (#​3455) 4c87d418

Updated components

• AsciiDoc
  • Some regexes are too greedy (#​3481) c4cbeeaa
• Bash
  • Added "sh" alias (#​3509) 6b824d47
  • Added support for parameters and the java and sysctl commands. (#​3505) b9512b22
  • Added cargo command (#​3488) 3e937137
• BBj
  • Improve regexes (#​3512) 0cad9ae5
• CSS
  • Fixed @​-rules not accounting for strings (#​3438) 0d4b6cb6
• CSS Extras
  • Added support for RebeccaPurple color (#​3448) 646b2e0a
• Hoon
  • Fixed escaped strings (#​3473) 64642716
• Java
  • Added support for constants (#​3507) 342a0039
• Markup
  • Fixed quotes in HTML attribute values (#​3442) ca8eaeee
• NSIS
  • Added missing commands (#​3504) b0c2a9b4
• Scala
  • Updated keywords to support Scala 3 (#​3506) a090d063
• SCSS
  • Fix casing in title of the scss lang (#​3501) 2aed9ce7

Updated plugins

• Line Highlight
  • Account for offset when clamping ranges (#​3518) 098e3000
  • Ignore ranges outside of actual lines (#​3475) 9a4e725b
• Normalize Whitespace
  • Add configuration via attributes (#​3467) 91dea0c8

Other

• Added security policy (#​3070) 05ee042a
• Added list of maintainers (#​3410) 866b302e
• Included githubactions in the dependabot config (#​3470) 9561a9ab
• Set permissions for GitHub actions (#​3468) b85e1ada
• Website
  • Website: Added third-party tutorial for Pug template (#​3459) 15272f76
  • Docs: Add missing word (#​3489) 9d603ef4

v1.28.0

Compare Source

New components

• Ado & Mata (Stata) (#​3383) 63806d57
• ARM Assembly (#​3376) 554ff324
• Arturo (#​3403) e2fe1f79
• AWK & GAWK (#​3374) ea8a0f40
• Cooklang (#​3337) 4eb928c3
• CUE (#​3375) a1340666
• gettext (#​3369) dfef9b61
• GNU Linker Script (#​3373) 33f2cf95
• Odin (#​3424) 8a3fef6d
• PlantUML (#​3372) 0d49553c
• ReScript (#​3435) cbef9af7
• SuperCollider (#​3371) 1b1d6731

Updated components

• .properties
  • Use key, value for token names; attr-name, attr-value as aliases (#​3377) b94a664d
• ABAP
  • Sorted keyword list (#​3368) 7bda2bf1
• Ada
  • Changed attr-name to attribute; Use attr-name as alias (#​3381) cde0b5b2
  • Added or keyword (#​3380) c30b736f
• Atmel AVR Assembly
  • Fixed &= and |= operators (#​3395) 8c4ae5a5
• AutoHotkey
  • Use standard tokens (#​3385) 61c460e8
  • Use general pattern instead of name list for directives (#​3384) 7ac84dda
• CFScript
  • Simplified operator regex (#​3396) 6a215fe0
• CMake
  • Simplified variable and operator regexes (#​3398) 8e59744b
• Erlang
  • Added begin keyword (#​3387) cf38d059
• Excel Formula
  • Use more fitting aliases for function-name, range, and cell (#​3391) ef0ec02a
• Flow
  • Changed alias of type to class-name (#​3390) ce41434d
  • Recognise [Ss]ymbol as a type (#​3388) 3916883a
• GEDCOM
  • Update tag to record (#​3386) f8f95340
• Groovy
  • Added string interpolation without hook (#​3366) 5617765f
• Handlebars
  • Added Mustache alias (#​3422) cb5229af
• Java
  • Improved class name detection (#​3351) 4cb3d038
  • Fixed record false positives (#​3348) 3bd8fdb1
• JavaScript
  • Added support for new regex syntax (#​3399) ca78cde6
• Keyman
  • Added new keywords (#​3401) bac36827
• MEL
  • Improved functions, code, and comments (#​3393) 8e648dab
• NEON
  • Change alias of key to property (#​3394) 1c533f4a
• PHP
  • Added never return type + minor fix of named arguments (#​3421) 4ffab525
  • Added readonly keyword (#​3349) 4c3f1969
• PureBasic
  • Added support for pointer to string operator (#​3362) 499b1fa0
• Razor C#
  • Added support for @helper and inline C# inside attribute values (#​3355) 31a38d0c
• VHDL
  • Add private, view keywords; Distinguish attribute from keyword (#​3389) d1a5ce30
• Wolfram language
  • Simplified operator regex (#​3397) 10ae6da3

Updated plugins

• Autolinker
  • Fixed URL regex to match more valid URLs (#​3358) 17ed9160
• Command Line
  • Add support for command continuation prefix (#​3344) b53832cd
  • Increased prompt opacity (#​3352) f95dd190
• Keep Markup
  • Use original nodes instead of clones (#​3365) 8a843a17

Other

• Infrastructure
  • Use terser (#​3407) 11c54624
  • Tests: Cache results for exp backtracking check (#​3356) ead22e1e
• Website
  • More documentation for language definitons (#​3427) 333bd590

v1.27.0

Compare Source

New components

• UO Razor Script (#​3309) 3f8cc5a0

Updated components

• AutoIt
  • Allow hyphen in directive (#​3308) bcb2e2c8
• EditorConfig
  • Change alias of section from keyword to selector (#​3305) e46501b9
• Ini
  • Swap out header for section (#​3304) deb3a97f
• MongoDB
  • Added v5 support (#​3297) 8458c41f
• PureBasic
  • Added missing keyword and fixed constants ending with $ (#​3320) d6c53726
• Scala
  • Added support for interpolated strings (#​3293) 441a1422
• Systemd configuration file
  • Swap out operator for punctuation (#​3306) 2eb89e15

Updated plugins

• Command Line
  • Escape markup in command line output (#​3341) e002e78c
  • Add support for line continuation and improved colors (#​3326) 1784b175
  • Added span around command and output (#​3312) 82d0ca15

Other

• Core
  • Added better error message for missing grammars (#​3311) 2cc4660b

v1.26.0

Compare Source

New components

• Atmel AVR Assembly (#​2078) b5a70e4c
• Go module (#​3209) 8476a9ab
• Keepalived Configure (#​2417) d908e457
• Tremor & Trickle & Troy (#​3087) ec25ba65
• Web IDL (#​3107) ef53f021

Updated components

• Use \d for [0-9] (#​3097) 9fe2f93e
• 6502 Assembly
  • Use standard tokens and minor improvements (#​3184) 929c33e0
• AppleScript
  • Use class-name standard token (#​3182) 9f5e511d
• AQL
  • Differentiate between strings and identifiers (#​3183) fa540ab7
• Arduino
  • Added ino alias (#​2990) 5b7ce5e4
• Avro IDL
  • Removed char syntax (#​3185) c7809285
• Bash
  • Added node to known commands (#​3291) 4b19b502
  • Added vcpkg command (#​3282) b351bc69
  • Added docker and podman commands (#​3237) 8c5ed251
• Birb
  • Fixed class name false positives (#​3111) d7017beb
• Bro
  • Removed variable and minor improvements (#​3186) 4cebf34c
• BSL (1C:Enterprise)
  • Made directive greedy (#​3112) 5c412cbb
• C
  • Added char token (#​3207) d85a64ae
• C#
  • Added char token (#​3270) 220bc40f
  • Move everything into the IIFE (#​3077) 9ed4cf6e
• Clojure
  • Added char token (#​3188) 1c88c7da
• Concurnas
  • Improved tokenization (#​3189) 7b34e65d
• Content-Security-Policy
  • Improved tokenization (#​3276) a943f2bb
• Coq
  • Improved attribute pattern performance (#​3085) 2f9672aa
• Crystal
  • Improved tokenization (#​3194) 51e3ecc0
• Cypher
  • Removed non-standard use of symbol token name (#​3195) 6af8a644
• D
  • Added standard char token (#​3196) dafdbdec
• Dart
  • Added string interpolation and improved metadata (#​3197) e1370357
• DataWeave
  • Fixed keywords being highlighted as functions (#​3113) 532212b2
• EditorConfig
  • Swap out property for key; alias with attr-name (#​3272) bee6ad56
• Eiffel
  • Removed non-standard use of builtin name (#​3198) 6add768b
• Elm
  • Recognize unicode escapes as valid Char (#​3105) 736c581d
• ERB
  • Better embedding of Ruby (#​3192) 336edeea
• F#
  • Added char token (#​3271) b58cd722
• G-code
  • Use standard-conforming alias for checksum (#​3205) ee7ab563
• GameMaker Language
  • Fixed operator token and added tests (#​3114) d359eeae
• Go
  • Added char token and improved string and number tokens (#​3208) f11b86e2
• GraphQL
  • Optimized regexes (#​3136) 8494519e
• Haml
  • Use symbol alias for filter names (#​3210) 3d410670
  • Improved filter and interpolation tokenization (#​3191) 005ba469
• Haxe
  • Improved tokenization (#​3211) f41bcf23
• Hoon
  • Simplified the language definition a little (#​3212) 81920b62
• HTTP
  • Added support for special header value tokenization (#​3275) 3362fc79
  • Relax pattern for body (#​3169) 22d0c6ba
• HTTP Public-Key-Pins
  • Improved tokenization (#​3278) 0f1b5810
• HTTP Strict-Transport-Security
  • Improved tokenization (#​3277) 3d708b97
• Idris
  • Fixed import statements (#​3115) 15cb3b78
• Io
  • Simplified comment token (#​3214) c2afa59b
• J
  • Made comments greedy (#​3215) 5af16014
• Java
  • Added char token (#​3217) 0a9f909c
• Java stack trace
  • Removed unreachable parts of regexes (#​3219) fa55492b
  • Added missing lookbehinds (#​3116) cfb2e782
• JavaScript
  • Improved number pattern (#​3149) 5a24cbff
  • Added properties (#​3099) 3b2238fa
• Jolie
  • Improved tokenization (#​3221) dfbb2020
• JQ
  • Improved performance of strings (#​3084) 233415b8
• JS stack trace
  • Added missing boundary assertion (#​3117) 23d9aec1
• Julia
  • Added char token (#​3223) 3a876df0
• Keyman
  • Improved tokenization (#​3224) baa95cab
• Kotlin
  • Added char token and improved string interpolation (#​3225) 563cd73e
• Latte
  • Use standard token names and combined delimiter tokens (#​3226) 6b168a3b
• Liquid
  • Removed unmatchable object variants (#​3135) 05e7ab04
• Lisp
  • Improved defun (#​3130) e8f84a6c
• Makefile
  • Use standard token names correctly (#​3227) 21a3c2d7
• Markdown
  • Fixed typo in token name (#​3101) 00f77a2c
• MAXScript
  • Various improvements (#​3181) e9b856c8
  • Fixed booleans not being highlighted (#​3134) c6574e6b
• Monkey
  • Use standard tokens correctly (#​3228) c1025aa6
• N1QL
  • Updated keywords + minor improvements (#​3229) 642d93ec
• nginx
  • Made some patterns greedy (#​3230) 7b72e0ad
• Nim
  • Added char token and made some tokens greedy (#​3231) 2334b4b6
  • Fixed backtick identifier (#​3118) 75331bea
• Nix
  • Use standard token name correctly (#​3232) 5bf6e35f
  • Removed unmatchable token (#​3119) dc1e808f
• NSIS
  • Made comment greedy (#​3234) 969f152a
  • Update regex pattern for variables (#​3266) adcc8784
  • Update regex for constants pattern (#​3267) 55583fb2
• Objective-C
  • Improved string token (#​3235) 8e0e95f3
• OCaml
  • Improved tokenization (#​3269) 7bcc5da0
  • Removed unmatchable punctuation variant (#​3120) 314d6994
• Oz
  • Improved tokenization (#​3240) a3905c04
• Pascal
  • Added support for asm and directives (#​2653) f053af13
• PATROL Scripting Language
  • Added boolean token (#​3248) a5b6c5eb
• Perl
  • Improved tokenization (#​3241) f22ea9f9
• PHP
  • Removed useless keyword tokens (#​3121) ee62a080
• PHP Extras
  • Improved scope and this (#​3243) 59ef51db
• PL/SQL
  • Updated keywords + other improvements (#​3109) e7ba877b
• PowerQuery
  • Improved tokenization and use standard tokens correctly (#​3244) 5688f487
  • Removed useless data-type alternative (#​3122) eeb13996
• PowerShell
  • Fixed lookbehind + refactoring (#​3245) d30a2da6
• Processing
  • Use standard tokens correctly (#​3246) 5ee8c557
• Prolog
  • Removed variable token + minor improvements (#​3247) bacf9ae3
• Pug
  • Improved filter tokenization (#​3258) 0390e644
• PureBasic
  • Fixed token order inside asm token (#​3123) f3b25786
• Python
  • Made comment greedy (#​3249) 8ecef306
  • Add match and case (soft) keywords (#​3142) 3f24dc72
  • Recognize walrus operator (#​3126) 18bd101c
  • Fixed numbers ending with a dot (#​3106) 2c63efa6
• QML
  • Made string greedy (#​3250) 1e6dcb51
• React JSX
  • Move alias property (#​3222) 18c92048
• React TSX
  • Removed parameter token (#​3090) 0a313f4f
• Reason
  • Use standard tokens correctly (#​3251) 809af0d9
• Regex
  • Fixed char-class/char-set confusion (#​3124) 4dde2e20
• Ren'py
  • Improved language + added tests (#​3125) ede55b2c
• Rip
  • Use standard char token (#​3252) 2069ab0c
• Ruby
  • Improved tokenization (#​3193) 86028adb
• Rust
  • Improved type-definition and use standard tokens correctly (#​3253) 4049e5c6
• Scheme
  • Use standard char token (#​3254) 7d740c45
  • Updates syntax for reals (#​3159) 4eb81fa1
• Smalltalk
  • Use standard char token (#​3255) a7bb3001
  • Added boolean token (#​3100) 51382524
• Smarty
  • Improved tokenization (#​3268) acc0bc09
• SQL
  • Added identifier token (#​3141) 4e00cddd
• Squirrel
  • Use standard char token (#​3256) 58a65bfd
• Stan
  • Added missing keywords and HOFs (#​3238) afd77ed1
• Structured Text (IEC 61131-3)
  • Structured text: Improved tokenization (#​3213) d04d166d
• Swift
  • Added support for isolated keyword (#​3174) 18c828a6
• TAP
  • Conform to quoted-properties style (#​3127) 3ef71533
• Tremor
  • Use standard regex token (#​3257) c56e4bf5
• Twig
  • Improved tokenization (#​3259) e03a7c24
• TypeScript
  • Removed duplicate keywords (#​3132) 91060fd6
• URI
  • Fixed IPv4 regex (#​3128) 599e30ee
• V
  • Use standard char token (#​3260) e4373256
• Verilog
  • Use standard tokens correctly (#​3261) 43124129
• Visual Basic
  • Simplify regexes and use more common aliases (#​3262) aa73d448
• Wolfram language
  • Removed unmatchable punctuation variant (#​3133) a28a86ad
• Xojo (REALbasic)
  • Proper token name for directives (#​3263) ffd8343f
• Zig
  • Added missing keywords (#​3279) deed35e3
  • Use standard char token (#​3264) c3f9fb70
  • Fixed module comments and astral chars (#​3129) 09a0e2ba

Updated plugins

• File Highlight
  • File highlight+data range (#​1813) d38592c5
• Keep Markup
  • Added drop-tokens option class (#​3166) b679cfe6
• Line Highlight
  • Expose highlightLines function as Prism.plugins.highlightLines (#​3086) 9f4c0e74
• Toolbar
  • Set z-index of .toolbar to 10 (#​3163) 1cac3559

Updated themes

• Coy: Set z-index to make shadows visible in colored table cells (#​3161) 79f250f3
• Coy: Added padding to account for box shadow (#​3143) a6a4ce7e

Other

• Core
  • Added setLanguage util function (#​3167) b631949a
  • Fixed type error on null (#​3057) a80a68ba
  • Document disableWorkerMessageHandler (#​3088) 213cf7be
• Infrastructure
  • Tests: Added .html.test files for replace .js language tests (#​3148) 2e834c8c
  • Added regex coverage (#​3138) 5333e281
  • Tests: Added TestCaseFile class and generalized runTestCase (#​3147) ae8888a0
  • Added even more language tests (#​3137) 344d0b27
  • Added more plugin tests (#​1969) a394a14d
  • Added more language tests (#​3131) 2f7f7364
  • package.json: Added engines.node field (#​3108) 798ee4f6
  • Use tabs in package(-lock).json (#​3098) 8daebb4a
  • Update [email protected] (#​3091) e6e1d5ae
  • Added minified CSS (#​3073) d63d6c0e
• Website
  • Readme: Clarify usage of our build system (#​3239) 6f1d904a
  • Improved CDN usage URLs (#​3285) 6c21b2f7
  • Update download.html 9d5424b6
  • Autoloader: Mention how to load grammars from URLs (#​3218) cefccdd1
  • Added PrismJS React and HTML tutorial link (#​3190) 0ecdbdce
  • Improved readability (#​3177) 4433d7fe
  • Fixed red highlighting in Firefox (#​3178) 746da79b
  • Use Keep markup to highlight code section (#​3164) ebd59e32
  • Document standard tokens and provide examples (#​3104) 37551200
  • Fixed dead link to third-party tutorial #​3155 (#​3156) 31b4c1b8
  • Repositioned theme selector (#​3146) ea361e5a
  • Adjusted TOC's line height for better readability (#​3145) c5629706
  • Updated plugin header template (#​3144) faedfe85
  • Update test and example pages to use Autoloader (#​1936) 3d96eedc

v1.25.0

Compare Source

New components

• AviSynth (#​3071) 746a4b1a
• Avro IDL (#​3051) 87e5a376
• Bicep (#​3027) c1dce998
• GAP (CAS) (#​3054) 23cd9b65
• GN (#​3062) 4f97b82b
• Hoon (#​2978) ea776756
• Kusto (#​3068) e008ea05
• Magma (CAS) (#​3055) a1b67ce3
• MAXScript (#​3060) 4fbdd2f8
• Mermaid (#​3050) 148c1eca
• Razor C# (#​3064) 4433ccfc
• Systemd configuration file (#​3053) 8df825e0
• Wren (#​3063) 6a356d25

Updated components

• Bicep
  • Added support for multiline and interpolated strings and other improvements (#​3028) 748bb9ac
• C#
  • Added with keyword & improved record support (#​2993) fdd291c0
  • Added record, init, and nullable keyword (#​2991) 9b561565
  • Added context check for from keyword (#​2970) 158f25d4
• C++
  • Fixed generic function false positive (#​3043) 5de8947f
• Clojure
  • Improved tokenization (#​3056) 8d0b74b5
• Hoon
  • Fixed mixed-case aura tokenization (#​3002) 9c8911bd
• Liquid
  • Added all objects from Shopify reference (#​2998) 693b7433
  • Added empty keyword (#​2997) [fe3bc526]

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

Error response from daemon: toomanyrequests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit