New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency katex to v0.16.21 [security] #1403

Open

uicontent wants to merge 1 commit into main from deps/npm-katex-vulnerability

Collaborator

uicontent commented Jan 20, 2025

This PR contains the following updates:

Package	Type	Update	Change
katex (source)	dependencies	patch	`0.16.11` -> `0.16.21`

GitHub Vulnerability Alerts

CVE-2025-23207

Impact

KaTeX users who render untrusted mathematical expressions with renderToString could encounter malicious input using \htmlData that runs arbitrary JavaScript, or generate invalid HTML.

Patches

Upgrade to KaTeX v0.16.21 to remove this vulnerability.

Workarounds

Avoid use of or turn off the trust option, or set it to forbid \htmlData commands.
Forbid inputs containing the substring "\\htmlData".
Sanitize HTML output from KaTeX.

Details

\htmlData did not validate its attribute name argument, allowing it to generate invalid or malicious HTML that runs scripts.

For more information

If you have any questions or comments about this advisory:

Open an issue or security advisory in the KaTeX repository
Email us at [email protected]

Release Notes

KaTeX/KaTeX (katex)

`v0.16.21`

Bug Fixes

escape \htmlData attribute name (57914ad)

`v0.16.20`

Bug Fixes

\providecommand does not overwrite existing macro (#4000) (6d30fe4), closes #3928

`v0.16.19`

Bug Fixes

types: improve strict function type (#4009) (4228b4e)

`v0.16.18`

Bug Fixes

Actually publish TypeScript type definitions (#4008) (629b873)

`v0.16.17`

Bug Fixes

MathML combines multidigit numbers with sup/subscript, comma separators, and multicharacter text when outputting to DOM (#3999) (7d79e22), closes #3995

`v0.16.16`

Features

ESM exports, TypeScript types (#3992) (ea9c173)

`v0.16.15`

Features

italic sans-serif in math mode via \mathsfit command (#3998) (2218901)

`v0.16.14`

Features

\dddot and \ddddot support (#3834) (bda35cd), closes #2744

`v0.16.13`

Bug Fixes

\vdots and \rule support in text mode (#3997) (0e08352), closes #3990

`v0.16.12`

Features

css: configurable margin for display math (#3638) (3405001)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Renovate Bot.

uicontent added the dependencies label

uicontent requested a review from a team as a code owner

January 20, 2025 08:18

uicontent force-pushed the deps/npm-katex-vulnerability branch 4 times, most recently from 73663e3 to c6f6a3e Compare

January 29, 2025 08:17

iobuhov previously approved these changes

View reviewed changes

uicontent dismissed iobuhov’s stale review via

f25d151

January 30, 2025 08:16

uicontent force-pushed the deps/npm-katex-vulnerability branch 3 times, most recently from d3c1ae7 to 324c4d3 Compare

February 4, 2025 08:17

uicontent force-pushed the deps/npm-katex-vulnerability branch 5 times, most recently from db5755d to e4ff07f Compare

February 12, 2025 08:18


          fix(deps): update dependency katex to v0.16.21 [security]

f0d0ace

uicontent force-pushed the deps/npm-katex-vulnerability branch from e4ff07f to f0d0ace Compare

February 13, 2025 08:17

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels