rparini / cxroots-app / 8428355137 / 1
75%
master: 75%

DEFAULT BRANCH: master
Ran
Files 4
Run time 0s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 58.889%. Remained the same
8428355137.1

push

github

web-flow 
Update dependency katex to v0.16.10 [SECURITY] (#201)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [katex](https://katex.org)
([source](https://togithub.com/KaTeX/KaTeX)) | [`0.16.9` ->
`0.16.10`](https://renovatebot.com/diffs/npm/katex/0.16.9/0.16.10) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/katex/0.16.10?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/katex/0.16.10?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/katex/0.16.9/0.16.10?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/katex/0.16.9/0.16.10?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2024-28244](https://togithub.com/KaTeX/KaTeX/security/advisories/GHSA-cvr6-37gx-v8wc)

### Impact
KaTeX users who render untrusted mathematical expressions could
encounter malicious input using `\def` or `\newcommand` that causes a
near-infinite loop, despite setting `maxExpand` to avoid such loops.
This can be used as an availability attack, where e.g. a client
rendering another user's KaTeX input will be unable to use the site due
to memory overflow, tying up the main thread, or stack overflow.

### Patches
Upgrade to KaTeX v0.16.10 to remove this vulnerability.

### Workarounds
Forbid inputs containing any of the characters
`₊₋₌₍₎₀₁₂₃₄₅₆₇₈₉ₐₑₕᵢⱼₖₗₘₙₒₚᵣₛₜᵤᵥₓᵦᵧᵨᵩᵪ⁺⁻⁼⁽⁾⁰¹²³⁴⁵⁶⁷⁸⁹ᵃᵇᶜᵈᵉᵍʰⁱʲᵏˡᵐⁿᵒᵖʳˢᵗᵘʷˣʸᶻᵛᵝᵞᵟᵠᵡ`
before passing them to KaTeX.
(There is no easy workaround for the auto-render extension.)

### Details
KaTeX supports an option named `maxExpand` which aims to prevent
infinitely recursive macros from consumi... (continued)

16 of 23 branches covered (69.57%)

Branch coverage included in aggregate %.

37 of 67 relevant lines covered (55.22%)

0.88 hits per line

Source Files on job 8428355137.1