Skip to content

chore(deps): update dependency markdown-it to v14.1.1 [security]#26

Open
renovate-sh-app[bot] wants to merge 1 commit intomainfrom
renovate/npm-markdown-it-vulnerability
Open

chore(deps): update dependency markdown-it to v14.1.1 [security]#26
renovate-sh-app[bot] wants to merge 1 commit intomainfrom
renovate/npm-markdown-it-vulnerability

Conversation

@renovate-sh-app
Copy link
Copy Markdown
Contributor

@renovate-sh-app renovate-sh-app Bot commented Feb 13, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
markdown-it 14.1.014.1.1 age confidence

GitHub Vulnerability Alerts

CVE-2026-2327

Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character, which triggers excessive backtracking and may lead to a denial-of-service condition.

Severity
  • CVSS Score: 5.5 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

markdown-it is has a Regular Expression Denial of Service (ReDoS)

CVE-2026-2327 / GHSA-38c4-r59v-3vqw

More information

Details

Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character, which triggers excessive backtracking and may lead to a denial-of-service condition.

Severity

  • CVSS Score: 5.5 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

markdown-it/markdown-it (markdown-it)

v14.1.1

Compare Source

Security
  • Fixed regression from v13 in linkify inline rule. Specific patterns could
    cause high CPU use. Thanks to @​ltduc147 for report.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

@renovate-sh-app renovate-sh-app Bot requested a review from a team as a code owner February 13, 2026 22:53
@renovate-sh-app renovate-sh-app Bot requested review from ifrost and mdvictor February 13, 2026 22:53
@renovate-sh-app renovate-sh-app Bot force-pushed the renovate/npm-markdown-it-vulnerability branch from 00f5bcc to efbdc07 Compare March 9, 2026 22:42
@renovate-sh-app renovate-sh-app Bot changed the title chore(deps): update dependency markdown-it to v14.1.1 [security] Update dependency markdown-it to v14.1.1 [SECURITY] Apr 20, 2026
@renovate-sh-app renovate-sh-app Bot changed the title Update dependency markdown-it to v14.1.1 [SECURITY] Update dependency markdown-it to v14.1.1 [SECURITY] - autoclosed Apr 20, 2026
@renovate-sh-app renovate-sh-app Bot closed this Apr 20, 2026
@renovate-sh-app renovate-sh-app Bot deleted the renovate/npm-markdown-it-vulnerability branch April 20, 2026 12:22
@renovate-sh-app renovate-sh-app Bot changed the title Update dependency markdown-it to v14.1.1 [SECURITY] - autoclosed chore(deps): update dependency markdown-it to v14.1.1 [security] Apr 20, 2026
@renovate-sh-app renovate-sh-app Bot reopened this Apr 20, 2026
@renovate-sh-app renovate-sh-app Bot force-pushed the renovate/npm-markdown-it-vulnerability branch 2 times, most recently from efbdc07 to 8550b76 Compare April 20, 2026 13:52
@renovate-sh-app renovate-sh-app Bot force-pushed the renovate/npm-markdown-it-vulnerability branch from 8550b76 to a6c59ff Compare April 23, 2026 13:29
@renovate-sh-app
chore(deps): update dependency markdown-it to v14.1.1 [security]
b60cb8c 
| datasource | package     | from   | to     |
| ---------- | ----------- | ------ | ------ |
| npm        | markdown-it | 14.1.0 | 14.1.1 |


Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
@renovate-sh-app renovate-sh-app Bot force-pushed the renovate/npm-markdown-it-vulnerability branch from a6c59ff to b60cb8c Compare April 24, 2026 16:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ifrost ifrost Awaiting requested review from ifrost ifrost is a code owner automatically assigned from grafana/dashboards-squad

@mdvictor mdvictor Awaiting requested review from mdvictor mdvictor is a code owner automatically assigned from grafana/dashboards-squad

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

automerge-security-update severity:MEDIUM update-patch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants