Skip to content

Update mdast-util-to-hast version to 13.2.1#935

Closed
arnlaugsson wants to merge 1 commit intoremarkjs:mainfrom
arnlaugsson:patch-1
Closed

Update mdast-util-to-hast version to 13.2.1#935
arnlaugsson wants to merge 1 commit intoremarkjs:mainfrom
arnlaugsson:patch-1

Conversation

@arnlaugsson
Copy link

@arnlaugsson arnlaugsson commented Dec 8, 2025

Initial checklist

  • I read the support docs
  • I read the contributing guide
  • I agree to follow the code of conduct
  • I searched issues and discussions and couldn’t find anything or linked relevant results below
  • I made sure the docs are up to date
  • I included tests (or that’s not needed)

Description of changes

Addressing a Medium vulnerability CVE-2025-66400: mdast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user-supplied markdown code elements appear like the rest of the page. This vulnerability is fixed in 13.2.1.

@arnlaugsson
Update mdast-util-to-hast version to 13.2.1
df906fe 
CVE-2025-66400: mdast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user-supplied markdown code elements appear like the rest of the page. This vulnerability is fixed in 13.2.1.

Medium Vulnerability.

Signed-off-by: Skúli Arnlaugsson <arnlaugsson@users.noreply.github.com>
@github-actions github-actions bot added 👋 phase/new Post is being triaged automatically 🤞 phase/open Post is being triaged manually and removed 👋 phase/new Post is being triaged automatically labels Dec 8, 2025
@codecov
Copy link

codecov bot commented Dec 8, 2025

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (fda7fa5) to head (df906fe).

Additional details and impacted files 
@@            Coverage Diff            @@
##              main      #935   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            3         3           
  Lines         1743      1743           
  Branches       123       123           
=========================================
  Hits          1743      1743

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@Murderlon
Copy link
Member

Murderlon commented Dec 8, 2025

See: #933 (comment)

@Murderlon Murderlon added 🤷 no/invalid This cannot be acted upon 👎 phase/no Post cannot or will not be acted on and removed 🤞 phase/open Post is being triaged manually labels Dec 8, 2025
@github-actions github-actions bot closed this Dec 8, 2025
@github-actions
Copy link

github-actions bot commented Dec 8, 2025

Hi! This was closed. Team: If this was merged, please describe when this is likely to be released. Otherwise, please add one of the no/* labels.

@AbhaysinghBhosale
Copy link

AbhaysinghBhosale commented Jan 5, 2026

When we are planning to add this fix? It will be new version of react-markdown?

@ChristianMurphy
Copy link
Member

ChristianMurphy commented Jan 5, 2026

It is already fixed

Changing ^13.0.0 to ^13.2.1 isn’t an update. It just narrows the version range. ^13.2.1 is the uppormost subset of ^13.0.0, so your package manager should resolve to the same version in both cases. No changes are needed.

If you don't see the update yet, clear you lock file and reinstall.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

🤷 no/invalid This cannot be acted upon 👎 phase/no Post cannot or will not be acted on

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@arnlaugsson @Murderlon @AbhaysinghBhosale @ChristianMurphy