chore(deps): update dependency prismjs to 1.27.0 [security]

[renovate]

This PR contains the following updates:

Package	Change
prismjs	1.23.0 -> 1.27.0

GitHub Vulnerability Alerts

CVE-2021-32723

Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS).

Impact

When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. Do not use the following languages to highlight untrusted text.

• ASCIIDoc
• ERB

Other languages are not affected and can be used to highlight untrusted text.

Patches

This problem has been fixed in Prism v1.24.

References

• PrismJS/prism#​2774
• PrismJS/prism#​2688

CVE-2021-3801

Prism is a syntax highlighting library. The prismjs package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide a crafted HTML comment as input may cause an application to consume an excessive amount of CPU.

CVE-2022-23647

Impact

Prism's Command line plugin can be used by attackers to achieve an XSS attack. The Command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code.

Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted.

Patches

This bug has been fixed in v1.27.0.

Workarounds

Do not use the Command line plugin on untrusted inputs, or sanitized all code blocks (remove all HTML code text) from all code blocks that use the Command line plugin.

References

• https://github.com/PrismJS/prism/pull/3341

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[codecov]

Codecov Report

Merging #573 (1a5db2a) into master (b27ba01) will not change coverage.
The diff coverage is n/a.

❗ Current head 1a5db2a differs from pull request most recent head c25287d. Consider uploading reports for the commit c25287d to get more accurate results

@@           Coverage Diff           @@
##           master     #573   +/-   ##
=======================================
  Coverage   84.55%   84.55%           
=======================================
  Files          11       11           
  Lines         259      259           
  Branches       48       48           
=======================================
  Hits          219      219           
  Misses          6        6           
  Partials       34       34           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b27ba01...c25287d. Read the comment docs.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.