Workflow

Commonmark

Latest version: v0.9.1

Safety actively analyzes 681812 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 1 of 6

0.29.0

* Update spec to 0.29.
* Fix parsing of setext headers after reference link definitions.
* Fix code span normalization to conform to spec change.
* Allow empty destinations in link refs. See commonmark/commonmark172.
* Update link destination parsing.
* dingus: add dependency version requirements (159, Vas Sudanagunta).
Dingus was rendering incorrectly with Bootstrap 4. Added a bower.json
which requires Bootstrap, jQuery and Lodash with major version equal
to what's currently live. Likewise the minimum patch version.
* package.json: Add version for bower in devDependencies.
* package.json - use `^` operator for versions.
* Allow internal delim runs to match if both have lengths that
are multiples of 3. See commonmark/commonmark528.
* Remove now unused 'preserve_entities' option on escapeXml.
This was formerly used (incorrectly) in the HTML renderer.
It isn't needed any more. [API change]
* html renderer: Don't preserve entities when rendering
href, src, title, info string. This gives rise to double-encoding errors,
when the original markdown is e.g. `:`, since the commonmark
reader already unescapes entities. Thanks to Sebastiaan Knijnenburg for
noticing this.
* More efficient checking for loose lists.
This fixes a case like commonmark/cmark284.
* Disallow unescaped `(` in parenthesized link title.
* Add pathological test (commonmark/cmark285).
* Comment out failing pathological test for now.
* Add pathological tests for 157.
* Fix two exponential regex backtracking vulnerabilities (157,
Anders Kaseorg). ESCAPED_CHAR already matches `\\`, so matching it again
in another alternative was causing exponential complexity explosion.
This makes the following behavior changes:
`[foo\\\]` is no longer incorrectly accepted as a link reference.
`<foo\>` is no longer incorrectly accepted as an angle-bracketed
link destination.
* package.json: require lodash >= 4.17.11.
* Require cached-path-relative >= 1.0.2.
This fixes a security vulnerability, but it's only
in the dev dependencies.
* Update fenced block parsing for spec change.
* Require space before title in reference link.
See commonmark/cmark263.
* Update code span normalization for spec change.
* Removed meta from list of block tags. See commonmark/CommonMark527.
* make dist: ensure that comment line is included in dist files (144).
Also change URL to CommonMark/commonmark.js.
* Use local development dependencies (142, Lynn Kirby).
Packages used during development are now listed in devDependencies of
package.json. Makefiles are updated to use those local versions.
References to manually installing packages are removed from README.md
and bench/bench.js. The package-lock.json file used in newer NPM
versions is also added.
* Allow spaces in pointy-bracket link destinations.
* Adjust max length for decimal/numeric entities.
See commonmark/CommonMark487.
* Don't allow escaped spaces in link destination.
Closes commonmark/CommonMark493.
* Don't allow list items that are indented >= 4 spaces.
See commonmark/CommonMark497.

0.28.1

* Update changelog (omitted from 0.28.0 release).

0.28.0

* Update spec to 0.28.
* Align punctuation regex with spec (121). Previously some ASCII
punctuation characters were not being counted, so `^_test_` came out
without emphasis, for example.
* Simplified a logical test, making it closer to the wording of the spec.
* Don't parse reference def if last `]` is escaped (468).
E.g.

[\ ]

[\]: test
* Dingus Makefile: remove ref to obsolete html.js.
* Removed obsolete lib/xml.js (replaced by lib/render/xml.js).
* Allow tabs before and after ATX closing header (Erik Edrosa).
* Change precedence of Strong/Emph when both nestings possible.
This accommodates the spec change to rule 14.
Note that commonmark.js was not previously in conformity
with rule 14 for things like `***hi****`.
* Calculate "mulitple of 3" for delim runs based on original number
of delims, not the number remaining after some have been
used.
* Make esc() method abstract and overridable (muji).
* README: update documentation for overriding softbreak and esc (118).
* Remove old XMLRenderer implementation (muji).
* package.json: use shorter form for repository.
* Don't export version in lib/index.js.
Instead, users can get version from package.json:
`require('commonmark/package.json').version`.
* Removed remnants of old html renderer (113).
Now we use lib/renderer/html.js.
* Hand-rolled parser for link destinations.
This allows nested parens, as now required by the spec.
* Fix regression test example (Colin O'Dell).
* dingus: Fixed iframe on load.

0.27.0

* Update spec to 0.27.
* Use correct name in DOCTYPE declaration for XML output.
It should be document, not CommonMark.
* Fix Node type names in README (Jan Marthedal Rasmussen).
* Allow shortcut link before a `(`. See jgm/CommonMark427.
* Added all characters in Pc, Pd, Pe, Pf, Pi, Po, Ps to rePunctuation
(108, problem not recognizing East Asian punctuation).
* Allow tab after setext header line (109).
* Recognize h2..h6 as block tags (see jgm/CommonMark430).
* Enforce spec's distinction between Unicode whitespace and regular whitespace
(Timothy Gu, see jgm/CommonMark343). Per ECMA-262 6th Edition
("ECMAScript 2015") §21.2.2.12 [CharacterClassEscape], the JavaScript `\s`
escape character matches the characters specified by "Unicode whitespace,"
but not "whitespace." Rename the existing regular expression variable to
`UnicodeWhitespace`, and create and use a new regular expression variable
that only matches the limited set of "whitespace" characters.
* Removed unused definition.
* Update README.md on overriding softbreak and escaping in
renderer (118).

0.26.0

* Implemented spec changes to lists:
- Don't allow ordered lists to interrupt a paragraph unless
they start with 1.
- Remove two-blanks-break-out-of-lists feature.
- Blank list item can't interrupt paragraph.
* Fixed minor regex bug with raw HTML blocks (98).
This would affect things like:

<a>[SPACE][SPACE]
x

which, with the change, gets parsed as a raw HTML block, instead of a
single paragraph with inline HTML, a line break, and 'x'. The new
behavior conforms to the spec. See 7 in 4.6. Added regression.
* Remove unnecessary check (Nik Ryby). It looks like `columns` is always
true in this block, so there's no need to check it during the assignment
to `count`.
* Simplify and optimize brackets processing (links/images) (Robin Stocker).
Together, these changes make the "nested brackets 10000 deep"
pathological case go from 400 ms to 20 ms.
* Changes in emph/strong emph parsing to match changes in spec.
This implements the rule that we can't have emphasis matches
when (a) one of the delimiters can open AND can close, and (b)
the sum of the lengths of the delimiter runs containing open
and close delimiters is a multiple of 3.
* Fix not existing property usage (Maksim Dzikun).
* Fixed tabs in ATX headers and thematic breaks.
* Remove unused write-only variable (Maksim Dzikun).

0.25.1

* Ensure that `advanceNextNonspace` resets `partiallyConsumedTab`.
This fixes a regression in which the first character after a tab
would sometimes be dropped.
* Added regression tests.
* XML renderer: escape attribute values (muji).
* Fix dingus vulnerability (muji). Use an iframe and innerHTML to prevent
`<script>` tags from executing.
* Dingus: let preview show when query has `text=`. Previously we had
these URLs open the HTML pane first, but now that we have XSS protection
(the iframe), it should be okay to open the preview pane first.
* Dingus: don't print sourcepos attributes in HTML/AST view.

Page 1 of 6

Links

Releases

Has known vulnerabilities

Next

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.