Skip to content

chore(monorepo): update pnpm-workspace.overrides markdown-it to >=14.1.1 [security]#215

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-markdown-it-vulnerability
Open

chore(monorepo): update pnpm-workspace.overrides markdown-it to >=14.1.1 [security]#215
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-markdown-it-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 9, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
markdown-it >=14.1.0>=14.1.1 age confidence

markdown-it is has a Regular Expression Denial of Service (ReDoS)

CVE-2026-2327 / GHSA-38c4-r59v-3vqw

More information

Details

Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character, which triggers excessive backtracking and may lead to a denial-of-service condition.

Severity

  • CVSS Score: 5.5 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

markdown-it/markdown-it (markdown-it)

v14.1.1

Compare Source

Security
  • Fixed regression from v13 in linkify inline rule. Specific patterns could
    cause high CPU use. Thanks to @​ltduc147 for report.

Configuration

📅 Schedule: (in timezone America/New_York)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Upgrade or downgrade of project dependencies. label Apr 9, 2026
@renovate renovate Bot requested a review from a team April 9, 2026 00:34
@renovate renovate Bot requested review from a team and sullivanpj as code owners April 9, 2026 00:34
@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Apr 9, 2026

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

@renovate renovate Bot enabled auto-merge (squash) April 9, 2026 00:34
@renovate renovate Bot added the dependencies Upgrade or downgrade of project dependencies. label Apr 9, 2026
@deepsource-io
Copy link
Copy Markdown

deepsource-io Bot commented Apr 9, 2026
edited
Loading

DeepSource Code Review

We reviewed changes in 242a5a8...0dabef2 on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade   Security  

Reliability  

Complexity  

Hygiene  

Code Review Summary

Analyzer Status Updated (UTC) Details
JavaScript Apr 29, 2026 9:41a.m. Review ↗
Shell Apr 29, 2026 9:41a.m. Review ↗

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 9, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​stryke/​fs@​0.28.6761009997100
Updated@​storm-software/​tsdoc@​0.12.8 ⏵ 0.13.15576 -1100100 +198 +1100
Addednx@​21.5.38010093100100
Addedtsup@​8.4.0981009483100
Addedgithub-slugger@​2.0.01001009285100
Addedtslib@​2.8.110010010085100

View full report

@renovate renovate Bot changed the title chore(monorepo): update pnpm-workspace.overrides markdown-it to >=14.1.1 [security] chore(monorepo): update pnpm-workspace.overrides markdown-it to >=14.1.1 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
auto-merge was automatically disabled April 27, 2026 17:55

Pull request was closed

@renovate renovate Bot deleted the renovate/npm-markdown-it-vulnerability branch April 27, 2026 17:55
@renovate renovate Bot changed the title chore(monorepo): update pnpm-workspace.overrides markdown-it to >=14.1.1 [security] - autoclosed chore(monorepo): update pnpm-workspace.overrides markdown-it to >=14.1.1 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-markdown-it-vulnerability branch 2 times, most recently from 8e8392f to fb1f18f Compare April 27, 2026 21:56
@renovate renovate Bot force-pushed the renovate/npm-markdown-it-vulnerability branch from fb1f18f to 0dabef2 Compare April 29, 2026 09:38
@renovate renovate Bot enabled auto-merge (squash) April 29, 2026 09:38
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 29, 2026

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm entities is 91.0% likely obfuscated

Confidence: 0.91

Location: Package overview

From: pnpm-lock.yamlnpm/entities@4.5.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@4.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm entities is 91.0% likely obfuscated

Confidence: 0.91

Location: Package overview

From: pnpm-lock.yamlnpm/entities@6.0.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@6.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sullivanpj sullivanpj Awaiting requested review from sullivanpj sullivanpj is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Upgrade or downgrade of project dependencies.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants