Skip to content

fix(deps): update dependency katex to v0.16.21 [security] #1403

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
r0b1n merged 1 commit into from
May 26, 2025
Merged

fix(deps): update dependency katex to v0.16.21 [security] #1403

r0b1n merged 1 commit into from
May 26, 2025

Conversation

@uicontent
Copy link
Collaborator

@uicontent uicontent commented Jan 20, 2025

This PR contains the following updates:

Package Type Update Change
katex (source) dependencies patch 0.16.11 -> 0.16.21

GitHub Vulnerability Alerts

CVE-2025-23207

Impact

KaTeX users who render untrusted mathematical expressions with renderToString could encounter malicious input using \htmlData that runs arbitrary JavaScript, or generate invalid HTML.

Patches

Upgrade to KaTeX v0.16.21 to remove this vulnerability.

Workarounds

  • Avoid use of or turn off the trust option, or set it to forbid \htmlData commands.
  • Forbid inputs containing the substring "\\htmlData".
  • Sanitize HTML output from KaTeX.

Details

\htmlData did not validate its attribute name argument, allowing it to generate invalid or malicious HTML that runs scripts.

For more information

If you have any questions or comments about this advisory:

Release Notes

KaTeX/KaTeX (katex)

v0.16.21

Compare Source

Bug Fixes
  • escape \htmlData attribute name (57914ad)

v0.16.20

Compare Source

Bug Fixes

v0.16.19

Compare Source

Bug Fixes

v0.16.18

Compare Source

Bug Fixes

v0.16.17

Compare Source

Bug Fixes
  • MathML combines multidigit numbers with sup/subscript, comma separators, and multicharacter text when outputting to DOM (#​3999) (7d79e22), closes #​3995

v0.16.16

Compare Source

Features

v0.16.15

Compare Source

Features
  • italic sans-serif in math mode via \mathsfit command (#​3998) (2218901)

v0.16.14

Compare Source

Features

v0.16.13

Compare Source

Bug Fixes

v0.16.12

Compare Source

Features

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Renovate Bot.

@uicontent uicontent added the dependencies Pull requests that update a dependency file label Jan 20, 2025
@uicontent uicontent requested a review from a team as a code owner January 20, 2025 08:18
@uicontent uicontent force-pushed the deps/npm-katex-vulnerability branch 4 times, most recently from 73663e3 to c6f6a3e Compare January 29, 2025 08:17
iobuhov
iobuhov previously approved these changes Jan 29, 2025
View reviewed changes
@uicontent uicontent force-pushed the deps/npm-katex-vulnerability branch 3 times, most recently from d3c1ae7 to 324c4d3 Compare February 4, 2025 08:17
@uicontent uicontent force-pushed the deps/npm-katex-vulnerability branch 6 times, most recently from e4ff07f to f0d0ace Compare February 13, 2025 08:17
@uicontent uicontent force-pushed the deps/npm-katex-vulnerability branch from f0d0ace to ddc2c67 Compare February 14, 2025 08:17
leonardomendix
leonardomendix previously approved these changes Feb 14, 2025
View reviewed changes
@uicontent uicontent force-pushed the deps/npm-katex-vulnerability branch 6 times, most recently from b5cc609 to 7d9cb74 Compare February 24, 2025 08:18
@uicontent uicontent force-pushed the deps/npm-katex-vulnerability branch 3 times, most recently from f1a0276 to 55e60fc Compare February 28, 2025 08:18
@uicontent uicontent force-pushed the deps/npm-katex-vulnerability branch 5 times, most recently from 9918b18 to ca710ff Compare May 6, 2025 08:20
@uicontent uicontent force-pushed the deps/npm-katex-vulnerability branch 4 times, most recently from fef5a2a to a9173cf Compare May 14, 2025 08:20
@uicontent uicontent force-pushed the deps/npm-katex-vulnerability branch 4 times, most recently from 1619a7f to 9065067 Compare May 22, 2025 08:20
@r0b1n r0b1n force-pushed the deps/npm-katex-vulnerability branch from 9065067 to 36feba7 Compare May 26, 2025 07:57
rahmanunver
rahmanunver previously approved these changes May 26, 2025
View reviewed changes
iobuhov
iobuhov previously approved these changes May 26, 2025
View reviewed changes
@uicontent uicontent dismissed stale reviews from iobuhov and rahmanunver via ecd80e8 May 26, 2025 08:29
@uicontent uicontent force-pushed the deps/npm-katex-vulnerability branch from 36feba7 to ecd80e8 Compare May 26, 2025 08:29
@r0b1n r0b1n force-pushed the deps/npm-katex-vulnerability branch from ecd80e8 to aea1d22 Compare May 26, 2025 08:42
@r0b1n r0b1n merged commit d33cab5 into main May 26, 2025
20 of 22 checks passed
@r0b1n r0b1n deleted the deps/npm-katex-vulnerability branch May 26, 2025 09:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@r0b1n r0b1n r0b1n approved these changes

@iobuhov iobuhov iobuhov approved these changes

@rahmanunver rahmanunver rahmanunver left review comments

@leonardomendix leonardomendix leonardomendix left review comments

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file rich-text-web

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@uicontent @r0b1n @iobuhov @rahmanunver @leonardomendix @renovate-bot