Skip to content

[WC-3504]: fix(markdown-web): bump markdown-it to 14.3.0 to fix linkify-it#2334

Merged
r0b1n merged 1 commit into
mainfrom
fix/markdown-web-linkify-it-cve
Jul 16, 2026
Merged

[WC-3504]: fix(markdown-web): bump markdown-it to 14.3.0 to fix linkify-it#2334
r0b1n merged 1 commit into
mainfrom
fix/markdown-web-linkify-it-cve

Conversation

@r0b1n

@r0b1n r0b1n commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Bumped markdown-it from ^14.1.1 to ^14.3.0 in packages/pluggableWidgets/markdown-web
  • This pulls in linkify-it@5.0.2, fixing CVE-2026-59887 (CVSS 8.7 — Inefficient Algorithmic Complexity, CWE-407)
  • Added changelog entry under ### Security in CHANGELOG.md

Test plan

  • Lockfile resolves linkify-it@5.0.2 or higher
  • Markdown widget builds and renders correctly
  • Unit tests pass

@r0b1n
r0b1n requested a review from a team as a code owner July 16, 2026 14:02
@github-actions

Copy link
Copy Markdown
Contributor

AI Code Review

⚠️ Approved with suggestions — low-severity items only, safe to merge


What was reviewed

File Change
packages/pluggableWidgets/markdown-web/CHANGELOG.md Added ### Security entry under [Unreleased]
packages/pluggableWidgets/markdown-web/package.json Bumped markdown-it from ^14.1.1^14.3.0; bumped @types/markdown-it from ^14.1.1^14.1.2
pnpm-lock.yaml Lockfile resolves markdown-it@14.3.0 and linkify-it@5.0.2

Skipped (out of scope): pnpm-lock.yaml content beyond confirming resolution

CI checks could not be fetched automatically — verify all checks pass before merging.


Findings

⚠️ Low — CHANGELOG entry is implementation-detail prose

File: packages/pluggableWidgets/markdown-web/CHANGELOG.md line 11
Note: The entry reads "Updated markdown-it library to version 14.3.0 to incorporate latest security fixes." Per the repo convention ("Changelogs for users: include only widget behavior, not implementation details"), mention the user-visible security impact instead of the library name and version. For example:

- Fixed a potential ReDoS vulnerability (CVE-2026-59887) in link detection.

Positives

  • Correct ### Security changelog section used — matches Keep a Changelog convention and makes security fixes easy to audit.
  • Lockfile confirms linkify-it resolves to 5.0.2, directly addressing the CVE — the fix is verifiable without trusting just the semver range.
  • Scope is minimal and surgical: only the affected dependency and its types were touched; no unrelated changes crept in.
  • @types/markdown-it bumped in sync with the runtime package — avoids type/implementation drift.

@r0b1n r0b1n changed the title fix(markdown-web): bump markdown-it to 14.3.0 to fix linkify-it CVE-2026-59887 [WC-3504]: fix(markdown-web): bump markdown-it to 14.3.0 to fix linkify-it Jul 16, 2026
@r0b1n
r0b1n merged commit 9108958 into main Jul 16, 2026
14 of 15 checks passed
@r0b1n
r0b1n deleted the fix/markdown-web-linkify-it-cve branch July 16, 2026 19:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants