[Security] Bump prismjs from 1.19.0 to 1.23.0

[dependabot-preview]

Bumps prismjs from 1.19.0 to 1.23.0. This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Denial of service in prismjs The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.

Affected versions: < 1.23.0

Sourced from The GitHub Security Advisory Database.

Cross-Site Scripting in Prism

Impact

The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer.

This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the Previewers plugin (>=v1.10.0) or the Previewer: Easing plugin (v1.1.0 to v1.9.0).

Patches

This problem is patched in v1.21.0.

Workarounds

To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.

References

The vulnerability was introduced by this commit on Sep 29, 2015 and fixed by Masato Kinugawa (mui#2506).

For more information

If you have any questions or comments about this advisory, please open an issue.

Affected versions: >= 1.1.0 < 1.21.0

Release notes

Sourced from prismjs's releases.

v1.23.0

New components

• Apex (#2622) f0e2b70e
• DataWeave (#2659) 0803525b
• PromQL (#2628) 8831c706

Updated components

• Fixed multiple vulnerable regexes (#2584) c2f6a644
• Apache Configuration
  • Update directive-flag to match = (#2612) 00bf00e3
• C-like
  • Made all comments greedy (#2680) 0a3932fe
• C
  • Better class name and macro name detection (#2585) 129faf5c
• Content-Security-Policy
  • Added missing directives and keywords (#2664) f1541342
  • Do not highlight directive names with adjacent hyphens (#2662) a7ccc16d
• CSS
  • Better HTML style attribute tokenization (#2569) b04cbafe
• Java
  • Improved package and class name detection (#2599) 0889bc7c
  • Added Java 15 keywords (#2567) 73f81c89
• Java stack trace
  • Added support stack frame element class loaders and modules (#2658) 0bb4f096
• Julia
  • Removed constants that are not exported by default (#2601) 093c8175
• Kotlin
  • Added support for backticks in function names (#2489) a5107d5c
• Latte
  • Fixed exponential backtracking (#2682) 89f1e182
• Markdown
  • Improved URL tokenization (#2678) 2af3e2c2
  • Added support for YAML front matter (#2634) 5cf9cfbc
• PHP
  • Added support for PHP 7.4 + other major improvements (#2566) 38808e64
  • Added support for PHP 8.0 features (#2591) df922d90
  • Removed C-like dependency (#2619) 89ebb0b7
  • Fixed exponential backtracking (#2684) 37b9c9a1
• Sass (Scss)
  • Added support for Sass modules (#2643) deb238a6
• Scheme
  • Fixed number pattern (#2648) e01ecd00
  • Fixed function and function-like false positives (#2611) 7951ca24
• Shell session
  • Fixed false positives because of links in command output (#2649) 8e76a978
• TSX
  • Temporary fix for the collisions of JSX tags and TS generics (#2596) 25bdb494

... (truncated)

Changelog

Sourced from prismjs's changelog.

1.23.0 (2020-12-31)

New components

• Apex (#2622) f0e2b70e
• DataWeave (#2659) 0803525b
• PromQL (#2628) 8831c706

Updated components

• Fixed multiple vulnerable regexes (#2584) c2f6a644
• Apache Configuration
  • Update directive-flag to match = (#2612) 00bf00e3
• C-like
  • Made all comments greedy (#2680) 0a3932fe
• C
  • Better class name and macro name detection (#2585) 129faf5c
• Content-Security-Policy
  • Added missing directives and keywords (#2664) f1541342
  • Do not highlight directive names with adjacent hyphens (#2662) a7ccc16d
• CSS
  • Better HTML style attribute tokenization (#2569) b04cbafe
• Java
  • Improved package and class name detection (#2599) 0889bc7c
  • Added Java 15 keywords (#2567) 73f81c89
• Java stack trace
  • Added support stack frame element class loaders and modules (#2658) 0bb4f096
• Julia
  • Removed constants that are not exported by default (#2601) 093c8175
• Kotlin
  • Added support for backticks in function names (#2489) a5107d5c
• Latte
  • Fixed exponential backtracking (#2682) 89f1e182
• Markdown
  • Improved URL tokenization (#2678) 2af3e2c2
  • Added support for YAML front matter (#2634) 5cf9cfbc
• PHP
  • Added support for PHP 7.4 + other major improvements (#2566) 38808e64
  • Added support for PHP 8.0 features (#2591) df922d90
  • Removed C-like dependency (#2619) 89ebb0b7
  • Fixed exponential backtracking (#2684) 37b9c9a1
• Sass (Scss)
  • Added support for Sass modules (#2643) deb238a6
• Scheme
  • Fixed number pattern (#2648) e01ecd00
  • Fixed function and function-like false positives (#2611) 7951ca24
• Shell session
  • Fixed false positives because of links in command output (#2649) 8e76a978
• TSX
  • Temporary fix for the collisions of JSX tags and TS generics (#2596) 25bdb494

... (truncated)

Commits

• 88a17b4 1.23.0
• 5dc7b42 Changelog v1.23.0 (#2681)
• 37b9c9a PHP: Fixed exponential backtracking (#2684)
• 89f1e18 Latte: Fixed exponential backtracking (#2682)
• 0a3932f C-like: Made all comments greedy (#2680)
• cdb24ab Line Highlight: Fixed print background color (#2668)
• e644178 Added test for polynomial backtracking (#2597)
• b40f8f4 Line highlight: Fixed top offset in combination with Line numbers (#2237)
• 2af3e2c Markdown: Improved URL tokenization (#2678)
• df0738e Test page: Don't trigger ad-blockers with class (#2677)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in the .dependabot/config.yml file in this repo:

• Update frequency
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[dependabot-preview]

The following labels could not be found: dependencies, worktree.

[dependabot-preview]

Superseded by #56.