chore(deps-dev): update commonmark requirement from ^0.28.1 to ^0.29.0

[dependabot-preview]

Updates the requirements on commonmark to permit the latest version.

Release notes

Sourced from commonmark's releases.

commonmark.js 0.29.0

• Update spec to 0.29.
• Fix parsing of setext headers after reference link definitions.
• Fix code span normalization to conform to spec change.
• Allow empty destinations in link refs. See Empty destinations in link references commonmark/commonmark-spec#172.
• Update link destination parsing.
• dingus: add dependency version requirements (#159, Vas Sudanagunta). Dingus was rendering incorrectly with Bootstrap 4. Added a bower.json which requires Bootstrap, jQuery and Lodash with major version equal to what's currently live. Likewise the minimum patch version.
• package.json: Add version for bower in devDependencies.
• package.json - use ^ operator for versions.
• Allow internal delim runs to match if both have lengths that are multiples of 3. See Interior strong+emph not parsed commonmark/commonmark-spec#528.
• Remove now unused 'preserve_entities' option on escapeXml. This was formerly used (incorrectly) in the HTML renderer. It isn't needed any more. [API change]
• html renderer: Don't preserve entities when rendering href, src, title, info string. This gives rise to double-encoding errors, when the original markdown is e.g. :, since the commonmark reader already unescapes entities. Thanks to Sebastiaan Knijnenburg for noticing this.
• More efficient checking for loose lists. This fixes a case like Parsing ‘* * * * * * … a’ takes quadratic time commonmark/cmark#284.
• Disallow unescaped ( in parenthesized link title.
• Add pathological test (Parsing '[ (]([ (]([ (]([ (](...' takes quadratic time commonmark/cmark#285).
• Comment out failing pathological test for now.
• Add pathological tests for #157.
• Fix two exponential regex backtracking vulnerabilities (#157, Anders Kaseorg). ESCAPED_CHAR already matches \\, so matching it again in another alternative was causing exponential complexity explosion. This makes the following behavior changes: [foo\\\] is no longer incorrectly accepted as a link reference. <foo\> is no longer incorrectly accepted as an angle-bracketed link destination.
• package.json: require lodash >= 4.17.11.
• Require cached-path-relative >= 1.0.2. This fixes a security vulnerability, but it's only in the dev dependencies.
• Update fenced block parsing for spec change.
• Require space before title in reference link. See Not requiring space before link title commonmark/cmark#263.
• Update code span normalization for spec change.
• Removed meta from list of block tags. See Support for <meta itemprop=...> of Schema.org Semantic/Microdata Markup commonmark/commonmark-spec#527.
• make dist: ensure that comment line is included in dist files (#144). Also change URL to CommonMark/commonmark.js.
• Use local development dependencies (#142, Lynn Kirby). Packages used during development are now listed in devDependencies of package.json. Makefiles are updated to use those local versions. References to manually installing packages are removed from README.md and bench/bench.js. The package-lock.json file used in newer NPM versions is also added.
• Allow spaces in pointy-bracket link destinations.
• Adjust max length for decimal/numeric entities. See Character references: 8 hexadecimal digits are too much. commonmark/commonmark-spec#487.
• Don't allow escaped spaces in link destination. Closes Clarify if escaped space is allowed in link destination commonmark/commonmark-spec#493.
• Don't allow list items that are indented >= 4 spaces. See list item continuation line versus indented code block versus subsequent list commonmark/commonmark-spec#497.

Changelog

Sourced from commonmark's changelog.

[0.29.0]

• Update spec to 0.29.
• Fix parsing of setext headers after reference link definitions.
• Fix code span normalization to conform to spec change.
• Allow empty destinations in link refs. See Empty destinations in link references commonmark/commonmark-spec#172.
• Update link destination parsing.
• dingus: add dependency version requirements (#159, Vas Sudanagunta).
  Dingus was rendering incorrectly with Bootstrap 4. Added a bower.json
  which requires Bootstrap, jQuery and Lodash with major version equal
  to what's currently live. Likewise the minimum patch version.
• package.json: Add version for bower in devDependencies.
• package.json - use ^ operator for versions.
• Allow internal delim runs to match if both have lengths that
  are multiples of 3. See Interior strong+emph not parsed commonmark/commonmark-spec#528.
• Remove now unused 'preserve_entities' option on escapeXml.
  This was formerly used (incorrectly) in the HTML renderer.
  It isn't needed any more. [API change]
• html renderer: Don't preserve entities when rendering
  href, src, title, info string. This gives rise to double-encoding errors,
  when the original markdown is e.g. :, since the commonmark
  reader already unescapes entities. Thanks to Sebastiaan Knijnenburg for
  noticing this.
• More efficient checking for loose lists.
  This fixes a case like Parsing ‘* * * * * * … a’ takes quadratic time commonmark/cmark#284.
• Disallow unescaped ( in parenthesized link title.
• Add pathological test (Parsing '[ (]([ (]([ (]([ (](...' takes quadratic time commonmark/cmark#285).
• Comment out failing pathological test for now.
• Add pathological tests for #157.
• Fix two exponential regex backtracking vulnerabilities (#157,
  Anders Kaseorg). ESCAPED_CHAR already matches \\, so matching it again
  in another alternative was causing exponential complexity explosion.
  This makes the following behavior changes:
  [foo\\\] is no longer incorrectly accepted as a link reference.
  <foo\> is no longer incorrectly accepted as an angle-bracketed
  link destination.
• package.json: require lodash >= 4.17.11.
• Require cached-path-relative >= 1.0.2.
  This fixes a security vulnerability, but it's only
  in the dev dependencies.
• Update fenced block parsing for spec change.
• Require space before title in reference link.
  See Not requiring space before link title commonmark/cmark#263.
• Update code span normalization for spec change.
• Removed meta from list of block tags. See Support for <meta itemprop=...> of Schema.org Semantic/Microdata Markup commonmark/commonmark-spec#527.
• make dist: ensure that comment line is included in dist files (#144).
  Also change URL to CommonMark/commonmark.js.
• Use local development dependencies (#142, Lynn Kirby).
  Packages used during development are now listed in devDependencies of
  package.json. Makefiles are updated to use those local versions.

... (truncated)

Commits

• 05086ee Updaet dist.
• 72e53c4 Update changelog.
• 993bbe3 Fix parsing of setext headers after ref link defs.
• 21279c4 Update spec.
• 802b5f9 Bump to 0.29.0
• 1f3c7bc Updaet spec.
• 5a8b529 Fix code span normalization....
• 388d81d Update spec.
• 039020a ALlow empty destinations in link refs.
• 202e712 Update spec.
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.

You can always request more updates by clicking Bump now in your Dependabot dashboard.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it). To ignore the version in this PR you can just close it
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

[dependabot-preview]

Superseded by #72.