fusionjs.github.io Update dependency prismjs to v1.27.0 [SECURITY]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
prismjs	`1.15.0` -> `1.27.0`

GitHub Vulnerability Alerts

CVE-2021-3801

Prism is a syntax highlighting library. The prismjs package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide a crafted HTML comment as input may cause an application to consume an excessive amount of CPU.

CVE-2022-23647

Impact

Prism's Command line plugin can be used by attackers to achieve an XSS attack. The Command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code.

Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted.

Patches

This bug has been fixed in v1.27.0.

Workarounds

Do not use the Command line plugin on untrusted inputs, or sanitized all code blocks (remove all HTML code text) from all code blocks that use the Command line plugin.

References

https://github.com/PrismJS/prism/pull/3341

Release Notes

PrismJS/prism

`v1.27.0`

Compare Source

New components

UO Razor Script (#3309) 3f8cc5a0

Updated components

AutoIt
- Allow hyphen in directive (#3308) bcb2e2c8
EditorConfig
- Change alias of section from keyword to selector (#3305) e46501b9
Ini
- Swap out header for section (#3304) deb3a97f
MongoDB
- Added v5 support (#3297) 8458c41f
PureBasic
- Added missing keyword and fixed constants ending with $ (#3320) d6c53726
Scala
- Added support for interpolated strings (#3293) 441a1422
Systemd configuration file
- Swap out operator for punctuation (#3306) 2eb89e15

Updated plugins

Command Line
- Escape markup in command line output (#3341) e002e78c
- Add support for line continuation and improved colors (#3326) 1784b175
- Added span around command and output (#3312) 82d0ca15

Other

Core
- Added better error message for missing grammars (#3311) 2cc4660b

`v1.26.0`

Compare Source

New components

Atmel AVR Assembly (#2078) b5a70e4c
Go module (#3209) 8476a9ab
Keepalived Configure (#2417) d908e457
Tremor & Trickle & Troy (#3087) ec25ba65
Web IDL (#3107) ef53f021

Updated components

Use \d for [0-9] (#3097) 9fe2f93e
6502 Assembly
- Use standard tokens and minor improvements (#3184) 929c33e0
AppleScript
- Use class-name standard token (#3182) 9f5e511d
AQL
- Differentiate between strings and identifiers (#3183) fa540ab7
Arduino
- Added ino alias (#2990) 5b7ce5e4
Avro IDL
- Removed char syntax (#3185) c7809285
Bash
- Added node to known commands (#3291) 4b19b502
- Added vcpkg command (#3282) b351bc69
- Added docker and podman commands (#3237) 8c5ed251
Birb
- Fixed class name false positives (#3111) d7017beb
Bro
- Removed variable and minor improvements (#3186) 4cebf34c
BSL (1C:Enterprise)
- Made directive greedy (#3112) 5c412cbb
C
- Added char token (#3207) d85a64ae
C#
- Added char token (#3270) 220bc40f
- Move everything into the IIFE (#3077) 9ed4cf6e
Clojure
- Added char token (#3188) 1c88c7da
Concurnas
- Improved tokenization (#3189) 7b34e65d
Content-Security-Policy
- Improved tokenization (#3276) a943f2bb
Coq
- Improved attribute pattern performance (#3085) 2f9672aa
Crystal
- Improved tokenization (#3194) 51e3ecc0
Cypher
- Removed non-standard use of symbol token name (#3195) 6af8a644
D
- Added standard char token (#3196) dafdbdec
Dart
- Added string interpolation and improved metadata (#3197) e1370357
DataWeave
- Fixed keywords being highlighted as functions (#3113) 532212b2
EditorConfig
- Swap out property for key; alias with attr-name (#3272) bee6ad56
Eiffel
- Removed non-standard use of builtin name (#3198) 6add768b
Elm
- Recognize unicode escapes as valid Char (#3105) 736c581d
ERB
- Better embedding of Ruby (#3192) 336edeea
F#
- Added char token (#3271) b58cd722
G-code
- Use standard-conforming alias for checksum (#3205) ee7ab563
GameMaker Language
- Fixed operator token and added tests (#3114) d359eeae
Go
- Added char token and improved string and number tokens (#3208) f11b86e2
GraphQL
- Optimized regexes (#3136) 8494519e
Haml
- Use symbol alias for filter names (#3210) 3d410670
- Improved filter and interpolation tokenization (#3191) 005ba469
Haxe
- Improved tokenization (#3211) f41bcf23
Hoon
- Simplified the language definition a little (#3212) 81920b62
HTTP
- Added support for special header value tokenization (#3275) 3362fc79
- Relax pattern for body (#3169) 22d0c6ba
HTTP Public-Key-Pins
- Improved tokenization (#3278) 0f1b5810
HTTP Strict-Transport-Security
- Improved tokenization (#3277) 3d708b97
Idris
- Fixed import statements (#3115) 15cb3b78
Io
- Simplified comment token (#3214) c2afa59b
J
- Made comments greedy (#3215) 5af16014
Java
- Added char token (#3217) 0a9f909c
Java stack trace
- Removed unreachable parts of regexes (#3219) fa55492b
- Added missing lookbehinds (#3116) cfb2e782
JavaScript
- Improved number pattern (#3149) 5a24cbff
- Added properties (#3099) 3b2238fa
Jolie
- Improved tokenization (#3221) dfbb2020
JQ
- Improved performance of strings (#3084) 233415b8
JS stack trace
- Added missing boundary assertion (#3117) 23d9aec1
Julia
- Added char token (#3223) 3a876df0
Keyman
- Improved tokenization (#3224) baa95cab
Kotlin
- Added char token and improved string interpolation (#3225) 563cd73e
Latte
- Use standard token names and combined delimiter tokens (#3226) 6b168a3b
Liquid
- Removed unmatchable object variants (#3135) 05e7ab04
Lisp
- Improved defun (#3130) e8f84a6c
Makefile
- Use standard token names correctly (#3227) 21a3c2d7
Markdown
- Fixed typo in token name (#3101) 00f77a2c
MAXScript
- Various improvements (#3181) e9b856c8
- Fixed booleans not being highlighted (#3134) c6574e6b
Monkey
- Use standard tokens correctly (#3228) c1025aa6
N1QL
- Updated keywords + minor improvements (#3229) 642d93ec
nginx
- Made some patterns greedy (#3230) 7b72e0ad
Nim
- Added char token and made some tokens greedy (#3231) 2334b4b6
- Fixed backtick identifier (#3118) 75331bea
Nix
- Use standard token name correctly (#3232) 5bf6e35f
- Removed unmatchable token (#3119) dc1e808f
NSIS
- Made comment greedy (#3234) 969f152a
- Update regex pattern for variables (#3266) adcc8784
- Update regex for constants pattern (#3267) 55583fb2
Objective-C
- Improved string token (#3235) 8e0e95f3
OCaml
- Improved tokenization (#3269) 7bcc5da0
- Removed unmatchable punctuation variant (#3120) 314d6994
Oz
- Improved tokenization (#3240) a3905c04
Pascal
- Added support for asm and directives (#2653) f053af13
PATROL Scripting Language
- Added boolean token (#3248) a5b6c5eb
Perl
- Improved tokenization (#3241) f22ea9f9
PHP
- Removed useless keyword tokens (#3121) ee62a080
PHP Extras
- Improved scope and this (#3243) 59ef51db
PL/SQL
- Updated keywords + other improvements (#3109) e7ba877b
PowerQuery
- Improved tokenization and use standard tokens correctly (#3244) 5688f487
- Removed useless data-type alternative (#3122) eeb13996
PowerShell
- Fixed lookbehind + refactoring (#3245) d30a2da6
Processing
- Use standard tokens correctly (#3246) 5ee8c557
Prolog
- Removed variable token + minor improvements (#3247) bacf9ae3
Pug
- Improved filter tokenization (#3258) 0390e644
PureBasic
- Fixed token order inside asm token (#3123) f3b25786
Python
- Made comment greedy (#3249) 8ecef306
- Add match and case (soft) keywords (#3142) 3f24dc72
- Recognize walrus operator (#3126) 18bd101c
- Fixed numbers ending with a dot (#3106) 2c63efa6
QML
- Made string greedy (#3250) 1e6dcb51
React JSX
- Move alias property (#3222) 18c92048
React TSX
- Removed parameter token (#3090) 0a313f4f
Reason
- Use standard tokens correctly (#3251) 809af0d9
Regex
- Fixed char-class/char-set confusion (#3124) 4dde2e20
Ren'py
- Improved language + added tests (#3125) ede55b2c
Rip
- Use standard char token (#3252) 2069ab0c
Ruby
- Improved tokenization (#3193) 86028adb
Rust
- Improved type-definition and use standard tokens correctly (#3253) 4049e5c6
Scheme
- Use standard char token (#3254) 7d740c45
- Updates syntax for reals (#3159) 4eb81fa1
Smalltalk
- Use standard char token (#3255) a7bb3001
- Added boolean token (#3100) 51382524
Smarty
- Improved tokenization (#3268) acc0bc09
SQL
- Added identifier token (#3141) 4e00cddd
Squirrel
- Use standard char token (#3256) 58a65bfd
Stan
- Added missing keywords and HOFs (#3238) afd77ed1
Structured Text (IEC 61131-3)
- Structured text: Improved tokenization (#3213) d04d166d
Swift
- Added support for isolated keyword (#3174) 18c828a6
TAP
- Conform to quoted-properties style (#3127) 3ef71533
Tremor
- Use standard regex token (#3257) c56e4bf5
Twig
- Improved tokenization (#3259) e03a7c24
TypeScript
- Removed duplicate keywords (#3132) 91060fd6
URI
- Fixed IPv4 regex (#3128) 599e30ee
V
- Use standard char token (#3260) e4373256
Verilog
- Use standard tokens correctly (#3261) 43124129
Visual Basic
- Simplify regexes and use more common aliases (#3262) aa73d448
Wolfram language
- Removed unmatchable punctuation variant (#3133) a28a86ad
Xojo (REALbasic)
- Proper token name for directives (#3263) ffd8343f
Zig
- Added missing keywords (#3279) deed35e3
- Use standard char token (#3264) c3f9fb70
- Fixed module comments and astral chars (#3129) 09a0e2ba

Updated plugins

File Highlight
- File highlight+data range (#1813) d38592c5
Keep Markup
- Added drop-tokens option class (#3166) b679cfe6
Line Highlight
- Expose highlightLines function as Prism.plugins.highlightLines (#3086) 9f4c0e74
Toolbar
- Set z-index of .toolbar to 10 (#3163) 1cac3559

Updated themes

Coy: Set z-index to make shadows visible in colored table cells (#3161) 79f250f3
Coy: Added padding to account for box shadow (#3143) a6a4ce7e

Other

Core
- Added setLanguage util function (#3167) b631949a
- Fixed type error on null (#3057) a80a68ba
- Document disableWorkerMessageHandler (#3088) 213cf7be
Infrastructure
- Tests: Added .html.test files for replace .js language tests (#3148) 2e834c8c
- Added regex coverage (#3138) 5333e281
- Tests: Added TestCaseFile class and generalized runTestCase (#3147) ae8888a0
- Added even more language tests (#3137) 344d0b27
- Added more plugin tests (#1969) a394a14d
- Added more language tests (#3131) 2f7f7364
- package.json: Added engines.node field (#3108) 798ee4f6
- Use tabs in package(-lock).json (#3098) 8daebb4a
- Update [email protected] (#3091) e6e1d5ae
- Added minified CSS (#3073) d63d6c0e
Website
- Readme: Clarify usage of our build system (#3239) 6f1d904a
- Improved CDN usage URLs (#3285) 6c21b2f7
- Update download.html 9d5424b6
- Autoloader: Mention how to load grammars from URLs (#3218) cefccdd1
- Added PrismJS React and HTML tutorial link (#3190) 0ecdbdce
- Improved readability (#3177) 4433d7fe
- Fixed red highlighting in Firefox (#3178) 746da79b
- Use Keep markup to highlight code section (#3164) ebd59e32
- Document standard tokens and provide examples (#3104) 37551200
- Fixed dead link to third-party tutorial #3155 (#3156) 31b4c1b8
- Repositioned theme selector (#3146) ea361e5a
- Adjusted TOC's line height for better readability (#3145) c5629706
- Updated plugin header template (#3144) faedfe85
- Update test and example pages to use Autoloader (#1936) 3d96eedc

`v1.25.0`

Compare Source

New components

AviSynth (#3071) 746a4b1a
Avro IDL (#3051) 87e5a376
Bicep (#3027) c1dce998
GAP (CAS) (#3054) 23cd9b65
GN (#3062) 4f97b82b
Hoon (#2978) ea776756
Kusto (#3068) e008ea05
Magma (CAS) (#3055) a1b67ce3
MAXScript (#3060) 4fbdd2f8
Mermaid (#3050) 148c1eca
Razor C# (#3064) 4433ccfc
Systemd configuration file (#3053) 8df825e0
Wren (#3063) 6a356d25

Updated components

Bicep
- Added support for multiline and interpolated strings and other improvements (#3028) 748bb9ac
C#
- Added with keyword & improved record support (#2993) fdd291c0
- Added record, init, and nullable keyword (#2991) 9b561565
- Added context check for from keyword (#2970) 158f25d4
C++
- Fixed generic function false positive (#3043) 5de8947f
Clojure
- Improved tokenization (#3056) 8d0b74b5
Hoon
- Fixed mixed-case aura tokenization (#3002) 9c8911bd
Liquid
- Added all objects from Shopify reference (#2998) 693b7433
- Added empty keyword (#2997) fe3bc526
Log file
- Added support for Java stack traces (#3003) b0365e70
Markup
- Made most patterns greedy (#3065) 52e8cee9
- Fixed ReDoS (#3078) 0ff371bb
PureScript
- Made ∀ a keyword (alias for forall) (#3005) b38fc89a
- Improved Haskell and PureScript (#3020) 679539ec
Python
- Support for underscores in numbers (#3039) 6f5d68f7
Sass
- Fixed issues with CSS Extras (#2994) 14fdfe32
Shell session
- Fixed command false positives (#3048) 35b88fcf
- Added support for the percent sign as shell symbol (#3010) 4492b62b
Swift
- Major improvements (#3022) 8541db2e
- Added support for @propertyWrapper, @MainActor, and @globalActor (#3009) ce5e0f01
- Added support for new Swift 5.5 keywords (#2988) bb93fac0
TypeScript
- Fixed keyword false positives (#3001) 212e0ef2

Updated plugins

JSONP Highlight
- Refactored JSONP logic (#3018) 5126d1e1
Line Highlight
- Extend highlight to full line width inside scroll container (#3011) e289ec60
Normalize Whitespace
- Removed unnecessary checks (#3017) 63edf14c
Previewers
- Ensure popup is visible across themes (#3080) c7b6a7f6

Updated themes

Twilight
- Increase selector specificities of plugin overrides (#3081) ffb20439

Other

Infrastructure
- Added benchmark suite (#2153) 44456b21
- Tests: Insert expected JSON by Default (#2960) e997dd35
- Tests: Improved dection of empty patterns (#3058) d216e602
Website
- Highlight Keywords: More documentation (#3049) 247fd9a3

`v1.24.1`

Compare Source

Updated components

Markdown
- Fixed Markdown not working in NodeJS (#2977) 151121cd

Updated plugins

Toolbar
- Fixed styles being applies to nested elements (#2980) 748ecddc

`v1.24.0`

Compare Source

New components

CFScript (#2771) b0a6ec85
ChaiScript (#2706) 3f7d7453
COBOL (#2800) 7e5f78ff
Coq (#2803) 41e25d3c
CSV (#2794) f9b69528
DOT (Graphviz) (#2690) 1f91868e
False (#2802) 99a21dc5
ICU Message Format (#2745) bf4e7ba9
Idris (#2755) e9314415
Jexl (#2764) 7e51b99c
KuMir (КуМир) (#2760) 3419fb77
Log file (#2796) 2bc6475b
Nevod (#2798) f84c49c5
OpenQasm (#2797) 1a2347a3
PATROL Scripting Language (#2739) 18c67b49
Q# (#2804) 1b63cd01
Rego (#2624) e38986f9
Squirrel (#2721) fd1081d2
URI (#2708) bbc77d19
V (#2687) 72962701
Wolfram language & Mathematica & Mathematica Notebook (#2921) c4f6b2cc

Updated components

Fixed problems reported by regexp/no-dupe-disjunctions (#2952) f471d2d7
Fixed some cases of quadratic worst-case runtime (#2922) 79d22182
Fixed 2 cases of exponential backtracking (#2774) d85e30da
AQL
- Update for ArangoDB 3.8 (#2842) ea82478d
AutoHotkey
- Improved tag pattern (#2920) fc2a3334
Bash
- Accept hyphens in function names (#2832) e4ad22ad
- Fixed single-quoted strings (#2792) e5cfdb4a
C++
- Added support for generic functions and made :: punctuation (#2814) 3df62fd0
- Added missing keywords and modules (#2763) 88fa72cf
Dart
- Improved support for classes & generics (#2810) d0bcd074
Docker
- Improvements (#2720) 93dd83c2
Elixir
- Added missing keywords (#2958) 114e4626
- Added missing keyword and other improvements (#2773) e6c0d298
- Added defdelagate keyword and highlighting for function/module names (#2709) 59f725d7
F#
- Fixed comment false positive (#2703) a5d7178c
GraphQL
- Fixed definition-query and definition-mutation tokens (#2964) bfd7fded
- Added more detailed tokens (#2939) 34f24ac9
Handlebars
- Added hbs alias (#2874) 43976351
HTTP
- Fixed body not being highlighted (#2734) 1dfc8271
- More granular tokenization (#2722) 6183fd9b
- Allow root path in request line (#2711) 4e7b2a82
Ini
- Consistently mimic Win32 INI parsing (#2779) 42d24fa2
Java
- Improved generics (#2812) 4ec7535c
JavaScript
- Added support for import assertions (#2953) ab7c9953
- Added support for RegExp Match Indices (#2900) 415651a0
- Added hashbang and private getters/setters (#2815) 9c610ae6
- Improved contextual keywords (#2713) 022f90a0
JS Templates
- Added SQL templates (#2945) abab9104
JSON
- Fixed backtracking issue in Safari (#2691) cf28d1b2
Liquid
- Added Markup support, missing tokens, and other improvements (#2950) ac1d12f9
Log file
- Minor improvements (#2851) 45ec4a88
Markdown
- Improved code snippets (#2967) e9477d83
- Workaround for incorrect highlighting due to double wrap hook (#2719) 2b355c98
Markup
- Added support for DOM event attributes (#2702) 8dbbbb35
nginx
- Complete rewrite (#2793) 5943f4cb
PHP
- Fixed functions with namespaces (#2889) 87d79390
- Fixed string interpolation (#2864) cf3755cb
- Added missing PHP 7.4 fn keyword (#2858) e0ee93f1
- Fixed methods with keyword names + minor improvements (#2818) 7e8cd40d
- Improved constant support for PHP 8.1 enums (#2770) 8019e2f6
- Added support for PHP 8.1 enums (#2752) f79b0eef
- Class names at the start of a string are now highlighted correctly (#2731) 04ef309c
- Numeral syntax improvements (#2701) 01af04ed
React JSX
- Added support for general spread expressions (#2754) 9f59f52d
- Added support for comments inside tags (#2728) 30b0444f
reST (reStructuredText)
- Fixed inline pattern (#2946) a7656de6
Ruby
- Added heredoc literals (#2885) 20b77bff
- Added missing regex flags (#2845) 3786f396
- Added missing regex interpolation (#2841) f08c2f7f
Scheme
- Added support for high Unicode characters (#2693) 0e61a7e1
- Added bracket support (#2813) 1c6c0bf3
Shell session
- Fixed multi-line commands (#2872) cda976b1
- Commands prefixed with a path are now detected (#2686) c83fd0b8
SQL
- Added ILIKE operator (#2704) 6e34771f
Swift
- Added some keyword (#2756) cf354ef5
TypeScript
- Updated keywords (#2861) fe98d536
- Added support for decorators (#2820) 31cc2142
VB.Net
- Improved strings, comments, and punctuation (#2782) a68f1fb6
Xojo (REALbasic)
- REM is no longer highlighted as a keyword in comments (#2823) ebbbfd47
- Added last missing Keyword "Selector" (#2807) e32e043b
- Added missing keywords (#2805) 459365ec

Updated plugins

Made Match Braces and Custom Class compatible (#2947) 4b55bd6a
Consistent Prism check (#2788) 96335642
Command Line
- Don't modify empty code blocks (#2896) c81c3319
Copy to Clipboard
- Removed ClipboardJS dependency (#2784) d5e14e1a
- Fixed clipboard.writeText not working inside iFrames (#2826) 01b7b6f7
- Added support for custom styles (#2789) 4d7f75b0
- Make copy-to-clipboard configurable with multiple attributes (#2723) 2cb909e1
File Highlight
- Fixed Prism check (#2827) 53d34b22
Line Highlight
- Fixed linkable line numbers not being initialized (#2732) ccc73ab7
Previewers
- Use `classLi

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

Apr 26 '21 17:04 renovate[bot]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

Apr 26 '21 17:04 CLAassistant

Deploy preview ready.

Built with commit ac21e04abab397277a9cf49727a432555204454c

https://deploy-preview-188--fusionjs.netlify.app

Apr 26 '21 17:04 UberOpenSourceBot

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

Mar 24 '23 23:03 renovate[bot]