fix(deps): update dependency prismjs to v1.23.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
prismjs	1.20.0 -> 1.23.0

GitHub Vulnerability Alerts

CVE-2020-15138

Impact

The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer.

This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the Previewers plugin (>=v1.10.0) or the Previewer: Easing plugin (v1.1.0 to v1.9.0).

Patches

This problem is patched in v1.21.0.

Workarounds

To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.

References

The vulnerability was introduced by this commit on Sep 29, 2015 and fixed by Masato Kinugawa (#​2506).

For more information

If you have any questions or comments about this advisory, please open an issue.

CVE-2021-23341

The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.

---

Release Notes

PrismJS/prism

v1.23.0

Compare Source

New components

• Apex (#​2622) f0e2b70e
• DataWeave (#​2659) 0803525b
• PromQL (#​2628) 8831c706

Updated components

• Fixed multiple vulnerable regexes (#​2584) c2f6a644
• Apache Configuration
  • Update directive-flag to match = (#​2612) 00bf00e3
• C-like
  • Made all comments greedy (#​2680) 0a3932fe
• C
  • Better class name and macro name detection (#​2585) 129faf5c
• Content-Security-Policy
  • Added missing directives and keywords (#​2664) f1541342
  • Do not highlight directive names with adjacent hyphens (#​2662) a7ccc16d
• CSS
  • Better HTML style attribute tokenization (#​2569) b04cbafe
• Java
  • Improved package and class name detection (#​2599) 0889bc7c
  • Added Java 15 keywords (#​2567) 73f81c89
• Java stack trace
  • Added support stack frame element class loaders and modules (#​2658) 0bb4f096
• Julia
  • Removed constants that are not exported by default (#​2601) 093c8175
• Kotlin
  • Added support for backticks in function names (#​2489) a5107d5c
• Latte
  • Fixed exponential backtracking (#​2682) 89f1e182
• Markdown
  • Improved URL tokenization (#​2678) 2af3e2c2
  • Added support for YAML front matter (#​2634) 5cf9cfbc
• PHP
  • Added support for PHP 7.4 + other major improvements (#​2566) 38808e64
  • Added support for PHP 8.0 features (#​2591) df922d90
  • Removed C-like dependency (#​2619) 89ebb0b7
  • Fixed exponential backtracking (#​2684) 37b9c9a1
• Sass (Scss)
  • Added support for Sass modules (#​2643) deb238a6
• Scheme
  • Fixed number pattern (#​2648) e01ecd00
  • Fixed function and function-like false positives (#​2611) 7951ca24
• Shell session
  • Fixed false positives because of links in command output (#​2649) 8e76a978
• TSX
  • Temporary fix for the collisions of JSX tags and TS generics (#​2596) 25bdb494

Updated plugins

• Made Autoloader and Diff Highlight compatible (#​2580) 7a74497a
• Copy to Clipboard Button
  • Set type="button" attribute for copy to clipboard plugin (#​2593) f59a85f1
• File Highlight
  • Fixed IE compatibility problem (#​2656) 3f4ae00d
• Line Highlight
  • Fixed top offset in combination with Line numbers (#​2237) b40f8f4b
  • Fixed print background color (#​2668) cdb24abe
• Line Numbers
  • Fixed null reference (#​2605) 7cdfe556
• Treeview
  • Fixed icons on dark themes (#​2631) 7266e32f
• Unescaped Markup
  • Refactoring (#​2445) fc602822

Other

• Readme: Added alternative link for Chinese translation 071232b4
• Readme: Removed broken icon for Chinese translation (#​2670) 2ea202b9
• Readme: Grammar adjustments (#​2629) f217ab75
• Core
  • Moved pattern matching + lookbehind logic into function (#​2633) 24574406
  • Fixed bug with greedy matching (#​2632) 8fa8dd24
• Infrastructure
  • Migrate from TravisCI -> GitHub Actions (#​2606) 69132045
  • Added Dangerfile and provide bundle size info (#​2608) 9df20c5e
  • New start script to start local server (#​2491) 0604793c
  • Added test for exponential backtracking (#​2590) 05afbb10
  • Added test for polynomial backtracking (#​2597) e644178b
  • Tests: Better pretty print (#​2600) 8bfcc819
  • Tests: Fixed sorted language list test (#​2623) 2d3a1267
  • Tests: Stricter pattern for nice-token-names test (#​2588) 0df60be1
  • Tests: Added strict checks for Prism.languages.extend (#​2572) 8828500e
• Website
  • Test page: Added "Share" option (#​2575) b5f4f10e
  • Test page: Don't trigger ad-blockers with class (#​2677) df0738e9
  • Thousands -> millions 9f82de50
  • Unescaped Markup: More doc regarding comments (#​2652) add3736a
  • Website: Added and updated documentation (#​2654) 8e660495
  • Website: Updated and improved guide on "Extending Prism" page (#​2586) 8e1f38ff

v1.22.0

Compare Source

New components

• Birb (#​2542) 4d31e22a
• BSL (1C:Enterprise) & OneScript (#​2520) 5c33f0bb
• MongoDB (#​2518) 004eaa74
• Naninovel Script (#​2494) 388ad996
• PureScript (#​2526) ad748a00
• SML & SML/NJ (#​2537) cb75d9e2
• Stan (#​2490) 2da2beba
• TypoScript & TSConfig (#​2505) bf115f47

Updated components

• Removed duplicate alternatives in various languages (#​2524) fa2225ff
• Haskell
  • Improvements (#​2535) e023044c
• JS Extras
  • Highlight import and export bindings (#​2533) c51ababb
  • Added control-flow keywords (#​2529) bcef22af
• PHP
  • Added match keyword (PHP 8.0) (#​2574) 1761513e
• Processing
  • Fixed function pattern (#​2564) 35cbc02f
• Regex
  • Changed how languages embed regexes (#​2532) f62ca787
• Rust
  • Fixed Unicode char literals (#​2550) 3b4f14ca
• Scheme
  • Added support for R7RS syntax (#​2525) e4f6ccac
• Shell session
  • Added aliases (#​2548) bfb36748
  • Highlight all commands after the start of any Heredoc string (#​2509) 6c921801
• YAML
  • Improved key pattern (#​2561) 59853a52

Updated plugins

• Autoloader
  • Fixed file detection regexes (#​2549) d36ea993
• Match braces
  • Fixed JS interpolation punctuation (#​2541) 6b47133d
• Show Language
  • Added title for plain text (#​2555) a409245e

Other

• Tests: Added an option to accept the actual token stream (#​2515) bafab634
• Core
  • Docs: Minor improvement (#​2513) 206dc80f
• Infrastructure
  • JSDoc: Fixed line ends (#​2523) bf169e5f
• Website
  • Website: Added new SB101 tutorial replacing the Crambler one (#​2576) 655f985c
  • Website: Fix typo on homepage by adding missing word add (#​2570) 8ae6a4ba
  • Custom class: Improved doc (#​2512) 5ad6cb23

v1.21.0

Compare Source

New components

• .ignore & .gitignore & .hgignore & .npmignore (#​2481) 3fcce6fe
• Agda (#​2430) 3a127c7d
• AL (#​2300) de21eb64
• Cypher (#​2459) 398e2943
• Dhall (#​2473) 649e51e5
• EditorConfig (#​2471) ed8fff91
• HLSL (#​2318) 87a5c7ae
• JS stack trace (#​2418) ae0327b3
• PeopleCode (#​2302) bd4d8165
• PureBasic (#​2369) d0c1c70d
• Racket (#​2315) 053016ef
• Smali (#​2419) 22eb5cad
• Structured Text (IEC 61131-3) (#​2311) 8704cdfb
• UnrealScript (#​2305) 1093ceb3
• WarpScript (#​2307) cde5b0fa
• XML doc (.net) (#​2340) caec5e30
• YANG (#​2467) ed1df1e1

Updated components

• Markup & JSON: Added new aliases (#​2390) 9782cfe6
• Fixed several cases of exponential backtracking (#​2268) 7a554b5f
• APL
  • Added ⍥ (#​2409) 0255cb6a
• AutoHotkey
  • Added missing format built-in (#​2450) 7c66cfc4
  • Improved comments and other improvements (#​2412) ddf3cc62
  • Added missing definitions (#​2400) 4fe03676
• Bash
  • Added composer command (#​2298) 044dd271
• Batch
  • Fix escaped double quote (#​2485) f0f8210c
• C
  • Improved macros and expressions (#​2440) 8a72fa6f
  • Improved macros (#​2320) fdcf7ed2
• C#
  • Improved pattern matching (#​2411) 7f341fc1
  • Fixed adjacent string interpolations (#​2402) 2a2e79ed
• C++
  • Added support for default comparison operator (#​2426) 8e9d161c
  • Improved class name detection (#​2348) e3fe9040
  • Fixed enum class class names (#​2342) 30b4e254
• Content-Security-Policy
  • Fixed directives (#​2461) 537a9e80
• CSS
  • Improved url and added keywords (#​2432) 964de5a1
• CSS Extras
  • Optimized class and id patterns (#​2359) fdbc4473
  • Renamed attr-{name,value} tokens and added tokens for combinators and selector lists (#​2373) e523f5d0
• Dart
  • Added missing keywords (#​2355) 4172ab6f
• Diff
  • Added prefix token (#​2281) fd432a5b
• Docker
  • Fixed strings inside comments (#​2428) 37273a6f
• EditorConfig
  • Trim spaces before key and section title (#​2482) 0c30c582
• EJS
  • Added eta alias (#​2282) 0cfb6c5f
• GLSL
  • Improvements (#​2321) 33e49956
• GraphQL
  • Added missing keywords (#​2407) de8ed16d
  • Added support for multi-line strings and descriptions (#​2406) 9e64c62e
• Io
  • Fixed operator pattern (#​2365) d6055771
• Java
  • Fixed namespace token (#​2295) 62e184bb
• JavaDoc
  • Improvements (#​2324) 032910ba
• JavaScript
  • Improved regex detection (#​2465) 4f55052f
  • Improved get/set and parameter detection (#​2387) ed715158
  • Added support for logical assignment operators (#​2378) b28f21b7
• JSDoc
  • Improvements (#​2466) 2805ae35
• JSON
  • Greedy comments (#​2479) 158caf52
• Julia
  • Improved strings, comments, and other patterns (#​2363) 81cf2344
• Kotlin
  • Added kt and kts aliases (#​2474) 67f97e2e
• Markup
  • Added tokens inside DOCTYPE (#​2349) 9c7bc820
  • Added attr-equals alias for the attribute = sign (#​2350) 96a0116e
  • Added alias for named entities (#​2351) ab1e34ae
  • Added support for SSML (#​2306) eb70070d
• Objective-C
  • Added objc alias (#​2331) 67c6b7af
• PowerShell
  • New functions pattern bases on naming conventions (#​2301) fec39bcf
• Protocol Buffers
  • Added support for RPC syntax (#​2414) 939a17c4
• Pug
  • Improved class and id detection in tags (#​2358) 7f948ecb
• Python
  • Fixed empty multiline strings (#​2344) c9324476
• Regex
  • Added aliases and minor improvements (#​2325) 8a72830a
• Ren'py
  • Added rpy alias (#​2385) 4935b5ca
• Ruby
  • Optimized regex and string patterns (#​2354) b526e8c0
• Rust
  • Improvements (#​2464) 2ff40fe0
  • Improvements (#​2332) 194c5429
• SAS
  • Improved macro string functions (#​2463) 278316ca
  • Handle edge case of string macro functions (#​2451) a0a9f1ef
  • Improved comments in proc groovy and proc lua (#​2392) 475a5903
• Scheme
  • Adjusted lookbehind for literals (#​2396) 1e3f542b
  • Improved lambda parameter (#​2346) 1946918a
  • Consistent lookaheads (#​2322) d2541d54
  • Improved boolean (#​2316) e27e65af
  • Added missing special keywords (#​2304) ac297ba5
  • Improvements (#​2263) 9a49f78f
• Solidity (Ethereum)
  • Added sol alias (#​2382) 6352213a
• SQL
  • Added PostgreSQL RETURNING keyword (#​2476) bea7a585
• Stylus
  • Fixed comments breaking declarations + minor improvements (#​2372) 6d663b6e
  • New tokens and other improvements (#​2368) 2c10ef8a
  • Fixed comments breaking strings and URLs (#​2361) 0d65d6c9
• T4 Text Templates (VB)
  • Use the correct VB variant (#​2341) b6093339
• TypeScript
  • Added asserts keyword and other improvements (#​2280) a197cfcd
• Visual Basic
  • Added VBA alias (#​2469) 78161d60
  • Added until keyword (#​2423) a13ee8d9
  • Added missing keywords (#​2376) ba5ac1da

Updated plugins

• File Highlight & JSONP Highlight update (#​1974) afea17d9
• Added general de/activation mechanism for plugins (#​2434) a36e96ab
• Autoloader
  • Fixed bug breaking Autoloader (#​2449) a3416bf3
  • Fixed data-dependencies and extensions (#​2326) 1654b25f
  • Improved path detection and other minor improvements (#​2245) 5cdc3251
• Command Line
  • Some refactoring (#​2290) 8c9c2896
  • Correctly rehighlight elements (#​2291) e6b2c6fc
• Line Highlight
  • Added linkable line numbers (#​2328) eb82e804
• Line Numbers
  • Improved resize performance (#​2125) b96ed225
  • Fixed TypeError when lineNumberWrapper is null (#​2337) 4b61661d
  • Exposed _resizeElement function (#​2288) 893f2a79
• Previewers
  • Fixed XSS (#​2506) 8bba4880
• Unescaped Markup
  • No longer requires Prism.languages.markup (#​2444) af132dd3

Updated themes

• Coy
  • Minor improvements (#​2176) 7109c18c
• Default
  • Added a comment that declares the background color of operator tokens as intentional (#​2309) 937e2691
• Okaidia
  • Update comment text color to meet WCAG contrast recommendations to AA level (#​2292) 06495f90

Other

• Changelog: Fixed v1.20.0 release date cb6349e2
• Core
  • Fixed greedy matching bug (#​2032) 40285203
  • Added JSDoc (#​1782) 4ff555be
• Infrastructure
  • Update Git repo URL in package.json (#​2334) 10f43275
  • Added docs to ignore files (#​2437) 05c9f20b
  • Added npm run build command (#​2356) ff74a610
  • gulp: Improved inlineRegexSource (#​2296) abb800dd
  • gulp: Fixed language map (#​2283) 11053193
  • gulp: Removed premerge task (#​2357) 5ff7932b
  • Tests are now faster (#​2165) e756be3f
  • Tests: Added extra newlines in pretty token streams (#​2070) 681adeef
  • Tests: Added test for identifier support across all languages (#​2371) 48fac3b2
  • Tests: Added test to sort the language list (#​2222) a3758728
  • Tests: Always pretty-print token streams (#​2421) 583e7eb5
  • Tests: Always use components.json (#​2370) e416341f
  • Tests: Better error messages for pattern tests (#​2364) 10ca6433
  • Tests: Included console in VM context (#​2353) b4ed5ded
• Website
  • Fixed typos "Prims" (#​2455) dfa5498a
  • New assets directory for all web-only files (#​2180) 91fdd0b1
  • Improvements (#​2053) ce0fa227
  • Fixed Treeview page (#​2484) a0efa40b
  • Line Numbers: Fixed class name on website 453079bf
  • Line Numbers: Improved documentation (#​2456) 447429f0
  • Line Numbers: Style inline code on website (#​2435) ad9c13e2
  • Filter highlightAll: Fixed typo (#​2391) 55bf7ec1

---

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.