Update dependency pygments to v2.15.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
pygments (changelog)	==2.4.0 -> ==2.15.0

GitHub Vulnerability Alerts

CVE-2021-27291

In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.

CVE-2021-20270

An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

CVE-2022-40896

A ReDoS issue was discovered in pygments/lexers/smithy.py in Pygments until 2.15.0 via SmithyLexer.

---

Release Notes

pygments/pygments (pygments)

v2.15.0

Compare Source

(released April 10th, 2023)

• Added lexers:

  • Carbon (#​2362, #​2365, #​2366, #​2367, #​2368, #​2369, #​2370)
  • Dax (#​2335, #​2345)
  • MediaWiki Wikitext (#​2373, #​827)
  • PostgreSQL Explain (#​2398)
  • WGSL (WebGPU Shading Language) (#​2386)
  • X++ (#​2339)

• Updated lexers:

  • AMDGPU: Add support for scratch_ instructions, the attr*.* argument,
    as well as the off modifier (#​2327).

  • APDL: Miscellaneous improvements (#​2314)

  • bash/tcsh:

    • Move break to keywords (#​2377)
    • Improve bash math expansion lexing (#​2255, #​2353)

  • Chapel: Support attributes (#​2376)

  • CMake: Implement bracket style comments (#​2338, #​2354)

  • CSS: Improve lexing of numbers inside function calls (#​2382, #​2383)

  • diff: Support normal diff syntax, as opposed to unified diff syntax (#​2321)

  • GLSL, HLSL:

    • Support line continuations in preprocessor code (#​2350)
    • Improve preprocessor directive handling (#​2357)

  • LilyPond: minor update of builtins

  • PHP: support attributes (#​2055, #​2347, #​2360), fix anonymous classes without
    parameters (#​2359), improve lexing of variable variable syntax (#​2358)

  • Python:

    • Add missing builtins (#​2334)
    • Fix inconsistent lexing of None (#​2406)

  • Rebol/Red: Don't require script headers (#​2348, #​2349)

  • Spice: Update keywords (#​2336)

  • SQL+Jinja (analyse_text method): Fix catastrophic backtracking (#​2355)

  • Terraform: Add hcl alias (#​2375)

• Declare support for Python 3.11 and drop support for Python 3.6 (#​2324).

• Update native style to improve contrast (#​2325).

• Update `github-dark`` style to match latest Primer style (#​2401)

• Revert a change that made guessing lexers based on file names slower
  on Python 3.10 and older (#​2328).

• Fix some places where a locale-dependent encoding could unintentionally
  be used instead of UTF-8 (#​2326).

• Fix Python traceback handling (#​2226, #​2329).

• Groff formatter: sort color definitions for reproducibility (#​2343)

• Move project metadata to pyproject.toml, remove setup.py
  and setup.cfg (#​2342)

• The top-level Makefile has been removed. Instead, all shortcuts
  for developing are now defined and run through tox. The doc folder
  still contains a Makefile as an alternative to tox -e doc.

v2.14.0

Compare Source

(released January 1st, 2023)

• Added lexers:

  • Arturo (#​2259)
  • GAP session (#​2211)
  • Fift (#​2249)
  • func (#​2232)
  • Jsonnet (#​2239)
  • Minecraft schema (#​2276)
  • MIPS (#​2228)
  • Phix (#​2222)
  • Portugol (#​2300)
  • TL-b (#​2247)
  • World of Warcraft TOC format (#​2244, #​2245)
  • Wren (#​2271)

• Updated lexers:

  • Abap: Update keywords (#​2281)

  • Alloy: Update for Alloy 6 (#​1963)

  • C family (C, C++ and many others):

    • Fix an issue where a chunk would be wrongly recognized as a function
      definition due to braces in comments (#​2210)
    • Improve parantheses handling for function definitions (#​2207, #​2208)

  • C#: Fix number and operator recognition (#​2256, #​2257)

  • CSound: Updated builtins (#​2268)

  • F#: Add .fsx file extension (#​2282)

  • gas (GNU assembler): recognize braces as punctuation (#​2230)

  • HTTP: Add CONNECT keyword (#​2242)

  • Inform 6: Fix lexing of properties and doubles (#​2214)

  • INI: Allow comments that are not their own line (#​2217, #​2161)

  • Java properties: Fix issue with whitespace-delimited keys, support
    comments starting with ! and escapes, no longer support undocumented
    ; and // comments (#​2241)

  • LilyPond: Improve heuristics, add \maxima duration (#​2283)

  • LLVM: Add opaque pointer type (#​2269)

  • Macaulay2: Update keywords (#​2305)

  • Minecraft-related lexers (SNB and Minecraft function) moved to
    pygments.lexers.minecraft (#​2276)

  • Nim: General improvements (#​1970)

  • Nix: Fix single quotes inside indented strings (#​2289)

  • Objective J: Fix catastrophic backtracking (#​2225)

  • NASM: Add support for SSE/AVX/AVX-512 registers as well as 'rel'
    and 'abs' address operators (#​2212)

  • Powershell:

    • Add local: keyword (#​2254)
    • Allow continuations without markers (#​2262, #​2263)

  • Solidity: Add boolean operators (#​2292)

  • Spice: Add enum keyword and fix a bug regarding binary,
    hexadecimal and octal number tokens (#​2227)

  • YAML: Accept colons in key names (#​2277)

• Fix make mapfiles when Pygments is not installed in editable mode
  (#​2223)

• Support more filetypes and compression types in autopygmentize (#​2219)

• Merge consecutive tokens in Autohotkey, Clay (#​2248)

• Add .nasm as a recognized file type for NASM (#​2280)

• Add *Spec.hs as a recognized file type for HSpec (#​2308)

• Add *.pyi (for typing stub files) as a recognized file type for
  Python (#​2231)

• The HTML lexer no longer emits empty spans for whitespace (#​2304)

• Fix IRCFormatter inserting linenumbers incorrectly (#​2270)

v2.13.0

Compare Source

(released August 15th, 2022)

• Added lexers:

  • COMAL-80 (#​2180)
  • JMESPath (#​2174, #​2175, #​2179, #​2182)
  • Sql+Jinja (#​2148)

• Updated lexers:

  • Ada: support Ada 2022 (#​2121); disable recognition of namespaces
    because it disturbs lexing of aspects (#​2125)
  • Agda: allow straight quotes in module names (#​2163)
  • C family (C, C++ and many others): allow comments between
    elements of function headers, e.g. between the arguments and
    the opening brace for the body (#​1891)
  • C++: Resolve several cases of Error tokens (#​2207, #​2208)
  • Coq: Add some common keywords, improve recognition of Set
    and qualified identifiers (#​2158)
  • F*: Allow C-style comments anywhere in a line
  • Fortran: Fix catastrophic backtracking with backslashes in strings
    (#​2194)
  • Go: add support for generics (#​2167)
  • Inform: Update for version 6.40 (#​2190)
  • Isabelle: recognize cartouches (#​2089)
  • Java: support multiline strings aka. text blocks (#​2132)
  • Kotlin: Add value modifier (#​2142)
  • LilyPond: Add some missing builtins
  • Macaulay2: Update builtins (#​2139)
  • Matlab session: fix traceback when a line continuation ellipsis
    appears in the output (#​2166)
  • .NET: Add aliases for LibreOffice Basic, OpenOfficeBasic and
    StarOffice Basic (#​2170)
  • Nim: Use Name.Builtin instead of Keyword.Type (#​2136)
  • PHP: fix \"$var\" inside strings (#​2105)
  • Python: only recognize \N, \u and \U escape sequences
    in string literals, but not in bytes literals where they are
    not supported (#​2204)
  • Tcl: support ${name} variables (#​2145)
  • Terraform: Accept leading whitespace for << heredoc
    delimiters (#​2162)
  • Teraterm: Various improvements (#​2165)
  • Spice: add support for the recently added features including more
    builtin functions and bin, oct, hex number formats (#​2206)

• Added styles:

  • GitHub dark (#​2192)
  • StarOffice (#​2168)
  • Nord (nord and nord-darker; #​2189, #​1799, #​1678)

• Pygments now tries to use the importlib.metadata module to
  discover plugins instead of the slower pkg_resources (#​2155). In
  particular, this largely speeds up the pygmentize script when
  the lexer is not specified.

  importlib.metadata is only available in the Python standard
  library since Python 3.8. For older versions, there exists an
  importlib_metadata backport on PyPI. For this reason, Pygments
  now defines a packaging extra plugins, which adds a requirement
  on importlib_metadata if the Python version is older than
  3.8. Thus, in order to install Pygments with optimal plugin
  support even for old Python versions, you should do::

  pip install pygments[plugins]

  Pygments still falls back on pkg_resources if neither
  importlib.metadata nor importlib_metadata is found, but it
  will be slower.

• Silently ignore BrokenPipeError in the command-line interface
  (#​2193).

• The HtmlFormatter now uses the linespans attribute for
  anchorlinenos if the lineanchors attribute is unset (#​2026).

• The highlight, lex and format functions no longer
  wrongly report "argument must be a lexer/formatter instance, not a
  class" in some cases where this is not the actual problem (#​2123).

• Fix warnings in doc build (#​2124).

• The codetagify filter now recognizes FIXME tags by default (#​2150).

• The pygmentize command now recognizes if the COLORTERM
  environment variable is set to a value indicating that true-color
  support is available. In that case, it uses the TerminalTrueColorFormatter
  by default (#​2160)

• Remove redundant caches for filename patterns (#​2153)

• Use new non-deprecated Pillow API for text bounding box in ImageFormatter
  (#​2198)

• Remove default_style (#​930, #​2183)

• Stop treating DeprecationWarnings as errors in the unit tests (#​2196)

v2.12.0

Compare Source

(released April 24th, 2022)

• Added lexers:

  • Berry (#​2070)
  • Cplint (#​2045)
  • Macaulay2 (#​1791)
  • MCFunction (#​2107)
  • Minecraft (#​2107)
  • Qlik (#​1925)
  • UnixConfigLexer for "colon-separated" config files, like /etc/passwd (#​2112)
  • Uxntal (#​2086)
  • K and Q (#​2073)

• Updated lexers:

  • Agda: Update keyword list (#​2017)

  • C family: Fix identifiers after case statements (#​2084)

  • Clojure: Highlight ratios (#​2042)

  • Csound: Update to 6.17 (#​2064)

  • CSS: Update the list of properties (#​2113)

  • Elpi:

    • Fix catastrophic backtracking (#​2053, #​2061)
    • Fix handling of -> (#​2028)

  • Futhark: Add missing tokens (#​2118)

  • Gherkin: Add But (#​2046)

  • Inform6: Update to 6.36 (#​2050)

  • Jinja2: add .xxx.j2 and .xxx.jinja2 to relevant lexers
    (for xxx = html, xml, etc.) (#​2103)

  • JSON: Support C comments in JSON (#​2049). Note: This doesn't mean the JSON parser now supports JSONC or JSON5 proper, just that it doesn't error out when seeing a /* */ or // style comment. If you need proper comment handling, consider using the JavaScript lexer.

  • LilyPond:

    • Fix incorrect lexing of names containing a built-in (#​2071)
    • Fix properties containing dashes (#​2099)

  • PHP: Update builtin function and keyword list (#​2054, #​2056)

  • Python: highlight EncodingWarning (#​2106)

  • Savi: fix highlighting for underscore/private identifiers,
    add string interpolation (#​2102); fix nested type name highlighting
    (#​2110)

  • Scheme: Various improvements (#​2060)

  • Spice: Update the keyword list, add new types (#​2063, #​2067)

  • Terraform:

    • Support non-idiomatic comments (#​2065, #​2066)
    • Fix class name lexing (#​2097)

• Add plugins argument to get_all_lexers().

• Bump minimal Python version to 3.6 (#​2059)

• Fix multiple lexers marking whitespace as Text (#​2025)

• Remove various redundant uses of re.UNICODE (#​2058)

• Associate .resource with the Robot framework (#​2047)

• Associate .cljc with Clojure (#​2043)

• Associate .tpp with C++ (#​2031)

• Remove traces of Python 2 from the documentation (#​2039)

• The native style was updated to meet the WCAG AAA contrast guidelines (#​2038)

• Fix various typos (#​2030)

• Fix Groff formatter not inheriting token styles correctly (#​2024)

• Various improvements to the CI (#​2036)

• The Ada lexer has been moved to a separate file (#​2117)

• When linenos=table is used, the <table> itself is now wrapped with a <div class="highlight"> tag instead of placing it inside the <td class="code"> cell (#​632.) With this change, the output matches the documented behavior.

.. note::

If you have subclassed HtmlFormatter.wrap, you may have to adjust the logic.

v2.11.2

Compare Source

(released January 6th, 2022)

• Updated lexers:

  • C-family: Fix incorrect handling of labels (#​2022, #​1996, #​1182)
  • Java: Fixed an issue with record keywords result in Error tokens in some cases (#​2016, #​2018)

• Fix links to line numbers not working correctly (#​2014)

• Remove underline from Whitespace style in the Tango theme (#​2020)

• Fix IRC and Terminal256 formatters not backtracking correctly for custom token types, resulting in some unstyled tokens (#​1986)

v2.11.1

Compare Source

(released December 31st, 2021)

• Updated lexers:

  • C-family: Handle return types with multiple tokens (e.g. unsigned int) (#​2008)
  • JSON: Fix a regression which caused whitespace before : to result in Error tokens (#​2010)
  • SPICE: Various improvements (#​2009)

v2.11.0

Compare Source

(released December 30th, 2021)

• Added lexers:

  • BDD (#​1803)
  • Elpi (#​1894)
  • LilyPond (#​1845, #​1968, #​1971, #​2001). This comes with a custom style as well.
  • Maxima (#​1885)
  • Rita (#​1541, #​2003)
  • Savi (#​1863)
  • Sed (#​1935)
  • Sophia contracts (#​1974)
  • Spice (#​1980)
  • .SRCINFO (#​1951)

• Updated lexers:

  • ABNF: Allow one-character rules (#​1804)

  • Assembly: Fix incorrect token endings (#​1895, #​1961)

  • Bibtex: Distinguish between comment and commentary (#​1899, #​1806)

  • C family: Support unicode identifiers (#​1848)

  • CDDL: Fix slow lexing speed (#​1959)

  • Debian control: Add missing fields (#​1946)

  • Devicetree: Recognize hexadecimal addresses for nodes (#​1949)

  • GDScript: Add void data type (#​1948)

  • GSQL

    • Fix comment handling (#​2002)
    • Fix catastrophic backtracking (#​2006)

  • HTML, XML: Improve comment handling (#​1896)

  • Java: Add yield (#​1941) and sealed classes/record (#​1902)

  • Makefiles (#​1860, #​1898)

  • objdump-nasm: Improve handling of --no-show-raw-insn dumps (#​1981)

  • Prolog: Support escaped \ inside quoted strings (#​1479)

  • Python:

    • Support ~ in tracebacks (#​2004)
    • Support the pattern matching keywords (#​1797, #​1994)

  • RobotFramework: Improve empty brace handling (#​1921, #​1922)

  • Terraform

    • Add the 'set' type (#​1909)
    • Support heredocs (#​1909)

• Added styles:

  • Dracula (#​1796)
  • Friendly Grayscale (#​1040, #​1273)
  • LilyPond (#​1845) -- to be used for the LilyPond language.
  • One-Dark (#​1924, #​1979)

.. note::

All of the new styles unfortunately do not conform to WCAG recommendations.

• There is new infrastructure in place to improve style accessibility. The default style has been updated to conform to WCAG recommendations. All styles are now checked for sufficient contrast by default to prevent regressions. (#​1919, #​1937, #​1938, #​1940)
• Clean up unused imports (#​1887)
• Fix multiple lexers producing repeated single-character tokens
• Fix multiple lexers marking whitespace as Text (#​1237, #​1905, #​1908, #​1914, #​1911, #​1923, #​1939, #​1957, #​1978)
• Remove duplicated assignments in the Paraiso style (#​1934)
• pygmentize supports JSON output for the various list functions now, making it easier to consume them from scripts. (#​1437, #​1890)
• Use the shell lexer for kshrc files (#​1947)
• Use the ruby lexer for Vagrantfile files (#​1936)
• Use the C lexer for .xbm and .xpm files (#​1802)
• Add a groff formatter (#​1873)
• Update documentation (#​1928)
• Line anchors now link to themselves (#​1973)
• Add official support for Python 3.10 (#​1917)
• Fix several missing colors in dark styles: Gruvbox dark, Monokai, Rrt, Sas, Strata dark (#​1955)
• Associate more file types with man pages
• The HtmlFormatter can now emit tooltips for each token to ease debugging of lexers (#​1822)
• Add f90 as an alias for fortran (#​2000)

v2.10.0

Compare Source

(released August 15th, 2021)

• Added lexers:

  • ASC armored files (#​1807)
  • GSQL (#​1809, #​1866)
  • Javascript REPL (#​1825)
  • procfile (#​1808)
  • Smithy (#​1878, #​1879)

• Updated lexers:

  • C-family: Fix preprocessor token issues (#​1830)

  • C# (#​1573, #​1869)

  • CSound (#​1837)

  • Fennel (#​1862)

  • JavaScript (#​1741, #​1814)

  • LLVM (#​1824)

  • Python (#​1852)

  • Rust

    • Fix lexing of "break" and "continue" (#​1843)
    • Improve attribute handling (#​1813)

  • Scala: Add support for the \ operator (#​1857)

  • Swift (#​1767, #​1842)

  • Tcl: Allow , and @ in strings (#​1834, #​1742)

  • TOML (#​1870, #​1872)

• Fix assert statements in TNT lexer.

• Token types across all lexers have been unified (using the most common token
  type name) (#​1816, #​1819)

• Improve Jasmin min score analysis (#​1619)

• Add new alias for Go files (#​1827)

• Fix multi-line console highlighting (#​1833)

• Add a new trivial lexer which outputs everything as Text.Generic.Output (#​1835, #​1836)

• Use the .ini lexer for systemd files (#​1849)

• Fix a FutureWarning related to words() (#​1854)

• pwsh is now recognized as an alias for PowerShell (#​1876)

v2.9.0

Compare Source

(released May 3rd, 2021)

• Added lexers:

  • APDL, gcode (#​1714)
  • Kuin (#​1300)
  • NestedText (#​1578)
  • OMG IDL (#​1595)
  • TEAL (#​1671)
  • ThingsDB (#​1295)
  • WebAssembly (#​1416, #​1564)

• Updated lexers:

  • AMDGPU (#​1717, #​1775)
  • APL (#​1747)
  • C/C++: Improve namespace handling (#​1722, #​1561, #​1719, #​1746)
  • Chapel (#​1743)
  • Coq (#​1721)
  • Cython (#​853)
  • DeviceTree (#​1755)
  • Groovy (#​1765)
  • Julia (#​1715)
  • Octave: Allow multiline and block-percent comments (#​1726)
  • PowerShell: Improve lexing of : (#​1682, #​1758)
  • PromQL (#​1783)
  • Python: Improve float parsing (#​1768, #​1740)
  • Rust (#​1061)
  • Scala: Rewrite to support Scala3 (#​1694, #​1035, #​1121)
  • Terraform: Support 0.14 syntax (#​1756)
  • Velocity: Detect multi-line patterns (#​1776)

• Add Pango formatter (#​1727)

• Autopygmentize uses file first instead of pygments -N (#​1786)

• Fix links (#​1716)

• Fix issue with LaTeX formatter and minted (#​1734, #​1735, #​1736, #​1737)

• Improve alias order (#​1780)

• Improve line number colors (#​1779, #​1778)

• Fix CTag related issue (#​1724)

• Recognize .leex as Elixir templates

• Fix incorrect variable being accessed (#​1748)

• Updated filename handling in HTML formatter if linenos='table' (#​1757)

  • Previously the filename would be emitted within the <td> holding the
    code, but outside the <pre>. This would invariably break the alignment
    with line numbers.
  • Now if filename is specified, a separate <tr> is emitted before the
    table content which contains a single <th> with colspan=2 so it
    spans both the line number and code columns. The filename is still
    within <span class="filename">...</span> so any existing styles
    should still apply, although the CSS path may need to change.
  • For an example of the new output format see
    table_cls_step_1_start_1_special_0_noanchor_filename.html
    in the tests/html_linenos_expected_output/ directory.
  • For more details and discussion see the issue
    #​1757

• Added styles:

  • Gruvbox light+dark (#​1763)

v2.8.1

Compare Source

• Fix issue with LaTeX formatter and minted (#​1734, #​1735, #​1736, #​1737)

v2.8.0

Compare Source

(released February 14, 2021)

• Added lexers:

  • AMDGPU (#​1626)
  • CDDL (#​1379, #​1239)
  • Futhark (#​1691)
  • Graphviz/DOT (#​1657, #​731)

• Updated lexers:

  • AutoIt: Support single quoted strings (#​1667, #​1663)

  • C/C++ & related: Fix mishandling */ (#​1695)

  • Cocoa: Add builtin types (#​1703)

  • Console (#​1672)

  • Eiffel: Fix performance issues (#​1658)

  • Fortran: Improve combined keyword detection (#​1677, #​1188)

  • J: Fix operator ? lexing (#​1700, #​1149)

  • JavaScript/TypeScript: Fix escapes in backtick strings (#​1679, #​1686)

  • Kotlin: Improve string interpolation, modifier keyword handling, and various small issues (#​1699)

  • LESS: Support single-line comments (#​1046)

  • Matlab:

    • Add support for class properties (#​1466)
    • Update builtin functions (#​1705)
    • Various cleanups (#​1673)

  • OpenEdge (#​1696)

  • Python: Improve handling of raw f-strings (#​1681, #​1683)

  • Ruby: Better method name handling (#​1531)

  • Stata: Updated keywords (#​1470)

• Added styles:

  • Material (#​1662)
  • Zenburn (#​1659)

• The pygmentize script now uses argparse, all options should work
  as before

• Add pygmentize -C option to guess a lexer from content

• With this release, Pygments moves to a new internal testing system (#​1649.)
  See Contributing.md for details. The main advantage of this new change
  is a much better test coverage of all existing example lexers. It also makes
  it much easier to add new test snippets.

• Make guessing prefer Python 3 lexer

• Do not guess MIME or SQL without reason

• Changed setuptools to use a declarative config through setup.cfg.
  Building Pygments now requires setuptools 39.2+.

• Add markdown to MarkdownLexer aliases (#​1687)

• Change line number handling

  • In <table> based output, the td.linenos element will have either a
    normal or special class attached. Previously, only special line
    numbers got a class. This prevents styles from getting applied twice -
    once via <pre>, once via <span class="special">. This also means
    that td.linenos pre is no longer styled, instead, use
    td.linenos .normal and td.linenos .special.
  • In the "inline" style, the DOM element order was changed. The line number
    is added first, then the line is wrapped is wrapped by the highlighter.
    This fixes lines not being fully highlighted.
  • The visual output for inline and non-inline line numbers & highlighting,
    as well as class-based and inline styling is now consistent.
  • Line number styles are set to background-color: transparent and
    color: inherit by default. This works much better with dark styles
    which don't have colors set for line numbers.

• Remove "raw" alias from RawTokenLexer, so that it cannot be
  selected by alias.

• Fix RawTokenLexer to work in Python 3 and handle exceptions.

• Add prompt colors to the Solarized theme (#​1529)

• Image formatter supports background colors now (#​1374)

• Add support for anchors in conjunction with inline line numbers (#​1591)

• Modernize the codebase using pyupgrade (#​1622)

• Add support for line numbers to the terminal256 formatter (#​1674, #​1653)

• Improve analyze_text logic for ECL (#​1610)

• Improve analyze_text logic for CBM Basic V2 (#​1607)

• Improve LaTeX formatter (#​1708, #​1709)

v2.7.4

Compare Source

(released January 12, 2021)

• Updated lexers:

  • Apache configurations: Improve handling of malformed tags (#​1656)

  • CSS: Add support for variables (#​1633, #​1666)

  • Crystal (#​1650, #​1670)

  • Coq (#​1648)

  • Fortran: Add missing keywords (#​1635, #​1665)

  • Ini (#​1624)

  • JavaScript and variants (#​1647 -- missing regex flags, #​1651)

  • Markdown (#​1623, #​1617)

  • Shell

    • Lex trailing whitespace as part of the prompt (#​1645)
    • Add missing in keyword (#​1652)

  • SQL - Fix keywords (#​1668)

  • Typescript: Fix incorrect punctuation handling (#​1510, #​1511)

• Fix infinite loop in SML lexer (#​1625), CVE-2021-20270 <https://nvd.nist.gov/vuln/detail/CVE-2021-20270>_

• Fix backtracking string regexes in JavaScript/TypeScript, Modula2
  and many other lexers (#​1637) CVE-2021-27291 <https://nvd.nist.gov/vuln/detail/CVE-2021-27291>_

• Limit recursion with nesting Ruby heredocs (#​1638)

• Fix a few inefficient regexes for guessing lexers

• Fix the raw token lexer handling of Unicode (#​1616)

• Revert a private API change in the HTML formatter (#​1655) --
  please note that private APIs remain subject to change!

• Fix several exponential/cubic-complexity regexes found by
  Ben Caller/Doyensec (#​1675)

• Fix incorrect MATLAB example (#​1582)

Thanks to Google's OSS-Fuzz project for finding many of these bugs.

v2.7.3

Compare Source

(released December 6, 2020)

• Updated lexers:

  • Ada (#​1581)
  • HTML (#​1615, #​1614)
  • Java (#​1594, #​1586)
  • JavaScript (#​1605, #​1589, #​1588)
  • JSON (#​1569 -- this is a complete rewrite)
  • Lean (#​1601)
  • LLVM ([#

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.