Skip to content

dep: [security] bump commonmarker from 0.23.6 to 0.23.7

George Koltsov requested to merge dependabot-bundler-commonmarker-0.23.7 into main

Bumps commonmarker from 0.23.6 to 0.23.7. This update includes a security fix.

Vulnerabilities fixed

Several quadratic complexity bugs may lead to denial of service in Commonmarker

Impact

Several quadratic complexity bugs in commonmarker's underlying cmark-gfm library may lead to unbounded resource exhaustion and subsequent denial of service.

The following vulnerabilities were addressed:

For more information, consult the release notes for version 0.23.0.gfm.7.

Mitigation

Users are advised to upgrade to commonmarker version 0.23.7.

Patched versions: 0.23.7 Affected versions: < 0.23.7

Release notes

Sourced from commonmarker's releases.

v0.23.7

What's Changed

Full Changelog: https://github.com/gjtorikian/commonmarker/compare/v0.23.6...v0.23.7

v0.23.7.pre1

What's Changed

Full Changelog: https://github.com/gjtorikian/commonmarker/compare/v0.23.6...v0.23.7.pre1

Changelog

Sourced from commonmarker's changelog.

Changelog

v1.0.0.pre6 (2023-01-09)

Full Changelog

Closed issues:

  • Cargo.lock prevents Ruby 3.2.0 from installing commonmarker v1.0.0.pre4 #211

Merged pull requests:

  • always use rb_sys (don't use Ruby's emerging cargo tooling where available) #213 (kivikakk)

v1.0.0.pre5 (2023-01-08)

Full Changelog

Merged pull requests:

v1.0.0.pre4 (2022-12-28)

Full Changelog

Closed issues:

  • Will the cmark-gfm branch continue to be maintained for awhile? #207

Merged pull requests:

v1.0.0.pre3 (2022-11-30)

Full Changelog

Closed issues:

  • Code block incorrectly parsed in commonmarker 1.0.0.pre #202

Merged pull requests:

... (truncated)

Commits


Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • @dependabot-bot rebase will rebase this MR
  • @dependabot-bot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports

Loading