Skip to content

Patch linkify-it ReDoS (SNYK-JS-LINKIFYIT-17817062)#1043

Open
juliasilge wants to merge 1 commit into
mainfrom
fix/linkify-it-redos
Open

Patch linkify-it ReDoS (SNYK-JS-LINKIFYIT-17817062)#1043
juliasilge wants to merge 1 commit into
mainfrom
fix/linkify-it-redos

Conversation

@juliasilge

@juliasilge juliasilge commented Jul 5, 2026

Copy link
Copy Markdown
Collaborator

Force the transitive linkify-it dependency to the patched 5.0.2 via a root resolutions entry, closing the ReDoS advisory (CVE-2026-48801) across all dependency paths (markdown-it in core, quarto-core, editor-codemirror, vscode, and vscode-markdownit, plus the markdown-it bundled in the vsce packaging tool).

This supersedes the Snyk PRs (#1038, #1039, #1040, #1041, #1042), each of which proposed a major-version bump of markdown-it (12/13 to 14) to shift a single path off the vulnerable package. Unlike brace-expansion, linkify-it has no patched 3.x or 4.x release, so the fix requires linkify-it 5; the resolutions override reaches every path at once with no markdown-it 14 migration (no @types bump, no .mjs deep-import rewrites) and no behavior change, since linkify-it's public API is unchanged across v3 to v5.

@posit-snyk-bot

posit-snyk-bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@juliasilge juliasilge requested a review from cscheid July 5, 2026 23:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants