Skip to content

chore(deps): update dependency katex to v0.16.21 [security] #227

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency katex to v0.16.21 [security] #227

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jan 19, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
katex (source) 0.16.11 -> 0.16.21 age confidence

GitHub Vulnerability Alerts

CVE-2025-23207

Impact

KaTeX users who render untrusted mathematical expressions with renderToString could encounter malicious input using \htmlData that runs arbitrary JavaScript, or generate invalid HTML.

Patches

Upgrade to KaTeX v0.16.21 to remove this vulnerability.

Workarounds

  • Avoid use of or turn off the trust option, or set it to forbid \htmlData commands.
  • Forbid inputs containing the substring "\\htmlData".
  • Sanitize HTML output from KaTeX.

Details

\htmlData did not validate its attribute name argument, allowing it to generate invalid or malicious HTML that runs scripts.

For more information

If you have any questions or comments about this advisory:

Release Notes

KaTeX/KaTeX (katex)

v0.16.21

Compare Source

Bug Fixes
  • escape \htmlData attribute name (57914ad)

v0.16.20

Compare Source

Bug Fixes

v0.16.19

Compare Source

Bug Fixes

v0.16.18

Compare Source

Bug Fixes

v0.16.17

Compare Source

Bug Fixes
  • MathML combines multidigit numbers with sup/subscript, comma separators, and multicharacter text when outputting to DOM (#​3999) (7d79e22), closes #​3995

v0.16.16

Compare Source

Features

v0.16.15

Compare Source

Features
  • italic sans-serif in math mode via \mathsfit command (#​3998) (2218901)

v0.16.14

Compare Source

Features

v0.16.13

Compare Source

Bug Fixes

v0.16.12

Compare Source

Features

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot enabled auto-merge (squash) January 19, 2025 09:53
@sourcery-ai Sourcery AI
Copy link

sourcery-ai bot commented Jan 19, 2025
edited
Loading

Reviewer's Guide by Sourcery

This PR updates the katex dependency from version 0.16.11 to 0.16.21 to address a security vulnerability. The vulnerability allows malicious input using \htmlData to run arbitrary JavaScript or generate invalid HTML. This update includes bug fixes and new features as well.

Sequence diagram showing KaTeX vulnerability with \htmlData command

sequenceDiagram
    actor User
    participant App
    participant KaTeX
    participant HTML

    Note over User,HTML: Before patch (v0.16.11)
    User->>App: Input math with malicious \htmlData
    App->>KaTeX: renderToString(input, {trust: true})
    KaTeX->>HTML: Generate HTML without validation
    HTML-->>User: Executes malicious JavaScript

    Note over User,HTML: After patch (v0.16.21)
    User->>App: Input math with malicious \htmlData
    App->>KaTeX: renderToString(input, {trust: true})
    KaTeX->>KaTeX: Validate attribute name
    KaTeX->>HTML: Generate safe HTML
    HTML-->>User: Renders math safely
Loading

Flow diagram of KaTeX security fix

flowchart TD
    A[Math Input] --> B{Contains \htmlData?}
    B -->|Yes| C{v0.16.21+?}
    B -->|No| D[Process Normally]
    C -->|Yes| E[Validate Attribute Name]
    C -->|No| F[Potential XSS Risk]
    E --> G[Generate Safe HTML]
    F --> H[Vulnerable to XSS]
    G --> I[Safe Output]
    H --> J[Unsafe Output]
    D --> I
Loading

File-Level Changes

Change Details Files
Updated the katex dependency to address a security vulnerability.
  • Updated katex from 0.16.11 to 0.16.21.
 pnpm-lock.yaml
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time. You can also use
    this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

sourcery-ai[bot]
sourcery-ai bot reviewed Jan 19, 2025
View reviewed changes
Copy link

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have skipped reviewing this pull request. It seems to have been created by a bot (hey, renovate[bot]!). We assume it knows what it's doing!

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 19, 2025
edited
Loading

🦙 MegaLinter status: ❌ ERROR

Descriptor Linter Files Fixed Errors Warnings Elapsed time
❌ COPYPASTE jscpd yes 1 no 1.88s
❌ CSS stylelint 3 1 1 0 1.73s
✅ JSON jsonlint 4 0 0 0.19s
✅ JSON npm-package-json-lint yes no no 0.39s
✅ JSON prettier 4 0 0 0 0.28s
✅ JSON v8r 4 0 0 9.28s
⚠️ MARKDOWN markdownlint 128 32 240 0 3.41s
❌ MARKDOWN markdown-link-check 128 47 0 98.75s
✅ MARKDOWN markdown-table-formatter 128 47 0 0 0.29s
⚠️ PYTHON pyright 1 2 0 1.82s
✅ PYTHON ruff 1 0 0 0 0.08s
❌ REPOSITORY checkov yes 2 no 13.44s
❌ REPOSITORY devskim yes 4 no 1.24s
✅ REPOSITORY dustilock yes no no 0.33s
✅ REPOSITORY gitleaks yes no no 0.1s
❌ REPOSITORY git_diff yes 1 no 0.02s
❌ REPOSITORY grype yes 15 no 22.5s
❌ REPOSITORY kics yes 6 no 1.27s
✅ REPOSITORY secretlint yes no no 1.18s
✅ REPOSITORY syft yes no no 1.2s
✅ REPOSITORY trivy yes no no 5.53s
✅ REPOSITORY trivy-sbom yes no no 0.1s
✅ REPOSITORY trufflehog yes no no 3.4s
⚠️ SPELL cspell 153 16 0 4.78s
❌ SPELL lychee 137 39 0 47.66s
✅ TYPESCRIPT ts-standard 7 0 0 0 3.15s
✅ YAML prettier 5 0 0 0 0.74s
✅ YAML v8r 5 0 0 2.81s
✅ YAML yamllint 5 0 0 1.94s

See detailed report in MegaLinter reports

You could have the same capabilities but better runtime performances if you use a MegaLinter flavor:

MegaLinter is graciously provided by OX Security

@renovate renovate bot force-pushed the renovate/npm-katex-vulnerability branch from 2a4dd98 to ca4d3bf Compare April 24, 2025 10:29
@renovate renovate bot force-pushed the renovate/npm-katex-vulnerability branch from ca4d3bf to 10f045e Compare May 19, 2025 21:00
@renovate renovate bot force-pushed the renovate/npm-katex-vulnerability branch from 10f045e to f12dd6c Compare May 28, 2025 13:08
@renovate renovate bot force-pushed the renovate/npm-katex-vulnerability branch from f12dd6c to b5e182f Compare June 6, 2025 04:39
@liblaf-bot liblaf-bot bot added the automerge Merge the pull request once unit tests and other checks pass. label Aug 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

@liblaf liblaf liblaf approved these changes

Assignees
No one assigned
Labels
automerge Merge the pull request once unit tests and other checks pass. lang: yaml size: s
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@liblaf