chore(monorepo): update pnpm-workspace.overrides markdown-it to >=14.1.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
markdown-it	>=14.1.0 → >=14.1.1

---

markdown-it is has a Regular Expression Denial of Service (ReDoS)

CVE-2026-2327 / GHSA-38c4-r59v-3vqw

More information

Details

Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character, which triggers excessive backtracking and may lead to a denial-of-service condition.

Severity

• CVSS Score: 5.5 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-2327
• https://github.com/markdown-it/markdown-it/commit/4b4bbcae5e0990a5b172378e507b33a59012ed26
• https://gist.github.com/ltduc147/c9abecae1b291ede4f692f2ab988c917
• https://security.snyk.io/vuln/SNYK-JS-MARKDOWNIT-10666750
• https://github.com/markdown-it/markdown-it/blob/14.1.0/lib/rules_inline/linkify.mjs#L33
• https://github.com/advisories/GHSA-38c4-r59v-3vqw

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

markdown-it/markdown-it (markdown-it)

v14.1.1

Compare Source

Security

• Fixed regression from v13 in linkify inline rule. Specific patterns could
  cause high CPU use. Thanks to @​ltduc147 for report.

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

[deepsource-io]

DeepSource Code Review

We reviewed changes in 242a5a8...2251ab9 on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade

Security   Reliability   Complexity   Hygiene

Code Review Summary

Analyzer	Status	Updated (UTC)	Details
JavaScript		Jun 2, 2026 1:57a.m.	Review ↗
Shell		Jun 2, 2026 1:57a.m.	Review ↗

---

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​nx/​esbuild@​21.5.3
	@​opentelemetry/​otlp-grpc-exporter-base@​0.200.0
	@​opentelemetry/​exporter-logs-otlp-http@​0.200.0
	@​nx/​jest@​21.5.3
	@​nx/​js@​21.5.3
	@​nx/​eslint-plugin@​21.5.3
	@​opentelemetry/​api-logs@​0.200.0
	@​nx/​workspace@​21.5.3
	@​opentelemetry/​otlp-exporter-base@​0.200.0
	@​rollup/​plugin-alias@​5.1.1
	@​rollup/​plugin-node-resolve@​16.0.1
	@​opentelemetry/​resources@​2.0.1
	@​opentelemetry/​semantic-conventions@​1.36.0
	@​nx/​devkit@​21.5.3
	@​nx/​react@​21.5.3
	@​nx/​plugin@​21.5.3
	@​rollup/​plugin-commonjs@​28.0.6
	@​nuxt/​schema@​4.1.2
	@​nuxt/​kit@​4.1.2
	@​opentelemetry/​sdk-logs@​0.200.0

View full report