Skip to content

[Security] Bump commonmarker from 0.23.8 to 0.23.9

George Koltsov requested to merge dependabot-bundler-commonmarker-0.23.9 into main

Bumps commonmarker from 0.23.8 to 0.23.9. This update includes a security fix.

Vulnerabilities fixed

Commonmarker vulnerable to to several quadratic complexity bugs that may lead to denial of service

Impact

Several quadratic complexity bugs in commonmarker's underlying cmark-gfm library may lead to unbounded resource exhaustion and subsequent denial of service.

The following vulnerabilities were addressed:

For more information, consult the release notes for version 0.23.0.gfm.10 and 0.23.0.gfm.11.

Mitigation

Users are advised to upgrade to commonmarker version 0.23.9.

Patched versions: 0.23.9 Affected versions: < 0.23.9

Release notes

Sourced from commonmarker's releases.

v0.23.9

What's Changed

Full Changelog: https://github.com/gjtorikian/commonmarker/compare/v0.23.8...v0.23.9

Changelog

Sourced from commonmarker's changelog.

Changelog

v1.0.0.pre9 (2023-03-28)

Full Changelog

Merged pull requests:

v1.0.0.pre8 (2023-03-09)

Full Changelog

Closed issues:

  • Something changed in how header anchors are named in the output HTML #229
  • Problem with CommonMarker on an Azure VM #226
Commits

Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • @dependabot-bot rebase will rebase this MR
  • @dependabot-bot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports