tag:github.com,2008:https://github.com/github/cmark-gfm/releasesRelease notes from cmark-gfm2023-07-21T15:19:43Ztag:github.com,2008:Repository/75244322/0.29.0.gfm.132023-07-21T15:22:23Z0.29.0.gfm.13<p><strong>Changes since last release</strong> (<a class="commit-link" href="https://github.com/github/cmark-gfm/compare/0.29.0.gfm.12...0.29.0.gfm.13"><tt>0.29.0.gfm.12...0.29.0.gfm.13</tt></a>):</p>
<ul>
<li>Normalized marker row vs. delimiter row nomenclature (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1330851119" data-permission-text="Title is private" data-url="https://github.com/github/cmark-gfm/issues/273" data-hovercard-type="pull_request" data-hovercard-url="/github/cmark-gfm/pull/273/hovercard" href="https://github.com/github/cmark-gfm/pull/273">#273</a>)</li>
<li>Exposed CMARK_NODE_FOOTNOTE_DEFINITION literal value (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1760790910" data-permission-text="Title is private" data-url="https://github.com/github/cmark-gfm/issues/336" data-hovercard-type="pull_request" data-hovercard-url="/github/cmark-gfm/pull/336/hovercard" href="https://github.com/github/cmark-gfm/pull/336">#336</a>)</li>
<li>Fixed format specifier for printing a size_t (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1804659762" data-permission-text="Title is private" data-url="https://github.com/github/cmark-gfm/issues/340" data-hovercard-type="pull_request" data-hovercard-url="/github/cmark-gfm/pull/340/hovercard" href="https://github.com/github/cmark-gfm/pull/340">#340</a>)</li>
</ul>anticomputertag:github.com,2008:Repository/75244322/0.29.0.gfm.122023-07-13T17:34:20Z0.29.0.gfm.12<p><strong>Changes since last release</strong> (<a class="commit-link" href="https://github.com/github/cmark-gfm/compare/0.29.0.gfm.11...0.29.0.gfm.12"><tt>0.29.0.gfm.11...0.29.0.gfm.12</tt></a>):</p>
<ul>
<li>Fixed polynomial time complexity issues per <a title="GHSA-w4qg-3vf7-m9x5" href="https://github.com/github/cmark-gfm/security/advisories/GHSA-w4qg-3vf7-m9x5">GHSA-w4qg-3vf7-m9x5</a></li>
<li>Added CodeQL project integration (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1767449230" data-permission-text="Title is private" data-url="https://github.com/github/cmark-gfm/issues/337" data-hovercard-type="pull_request" data-hovercard-url="/github/cmark-gfm/pull/337/hovercard" href="https://github.com/github/cmark-gfm/pull/337">#337</a>)</li>
<li>Addressed const qualifier discard compiler warnings (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1690609248" data-permission-text="Title is private" data-url="https://github.com/github/cmark-gfm/issues/330" data-hovercard-type="pull_request" data-hovercard-url="/github/cmark-gfm/pull/330/hovercard" href="https://github.com/github/cmark-gfm/pull/330">#330</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1690610178" data-permission-text="Title is private" data-url="https://github.com/github/cmark-gfm/issues/331" data-hovercard-type="pull_request" data-hovercard-url="/github/cmark-gfm/pull/331/hovercard" href="https://github.com/github/cmark-gfm/pull/331">#331</a>)</li>
</ul>anticomputertag:github.com,2008:Repository/75244322/0.29.0.gfm.112023-04-06T19:27:14Z0.29.0.gfm.11<p><strong>Changes since last release</strong> (<a class="commit-link" href="https://github.com/github/cmark-gfm/compare/0.29.0.gfm.10...0.29.0.gfm.11"><tt>0.29.0.gfm.10...0.29.0.gfm.11</tt></a>):</p>
<p>NOTE: this is a re-release of 0.11 due to missing a version/Changelog PR</p>
<ul>
<li>Improved fixes for polynomial time complexity issues per <a title="GHSA-66g8-4hjf-77xh" href="https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh">GHSA-66g8-4hjf-77xh</a> (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1652072726" data-permission-text="Title is private" data-url="https://github.com/github/cmark-gfm/issues/323" data-hovercard-type="pull_request" data-hovercard-url="/github/cmark-gfm/pull/323/hovercard" href="https://github.com/github/cmark-gfm/pull/323">#323</a>, <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1652163798" data-permission-text="Title is private" data-url="https://github.com/github/cmark-gfm/issues/324" data-hovercard-type="pull_request" data-hovercard-url="/github/cmark-gfm/pull/324/hovercard" href="https://github.com/github/cmark-gfm/pull/324">#324</a>)</li>
<li>Added fuzzing target for bracketed patterns (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1649988624" data-permission-text="Title is private" data-url="https://github.com/github/cmark-gfm/issues/318" data-hovercard-type="pull_request" data-hovercard-url="/github/cmark-gfm/pull/318/hovercard" href="https://github.com/github/cmark-gfm/pull/318">#318</a>)</li>
<li>Fixed bug in list numbering introduced in <a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/github/cmark-gfm/commit/763587e8775350b8cb4a2aa0f4cec3685aa96e8b/hovercard" href="https://github.com/github/cmark-gfm/commit/763587e8775350b8cb4a2aa0f4cec3685aa96e8b"><tt>763587e</tt></a> (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1650980391" data-permission-text="Title is private" data-url="https://github.com/github/cmark-gfm/issues/322" data-hovercard-type="pull_request" data-hovercard-url="/github/cmark-gfm/pull/322/hovercard" href="https://github.com/github/cmark-gfm/pull/322">#322</a>) which caused list numbers to increment by 2</li>
<li>Fixed strict prototype clang warning (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1581356898" data-permission-text="Title is private" data-url="https://github.com/github/cmark-gfm/issues/310" data-hovercard-type="pull_request" data-hovercard-url="/github/cmark-gfm/pull/310/hovercard" href="https://github.com/github/cmark-gfm/pull/310">#310</a>)</li>
<li>Fixed regression test (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1617536789" data-permission-text="Title is private" data-url="https://github.com/github/cmark-gfm/issues/312" data-hovercard-type="issue" data-hovercard-url="/github/cmark-gfm/issues/312/hovercard" href="https://github.com/github/cmark-gfm/issues/312">#312</a>)</li>
<li>Added additional output formats to quadratic fuzzer (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1657235682" data-permission-text="Title is private" data-url="https://github.com/github/cmark-gfm/issues/327" data-hovercard-type="pull_request" data-hovercard-url="/github/cmark-gfm/pull/327/hovercard" href="https://github.com/github/cmark-gfm/pull/327">#327</a>)</li>
<li>Fixed buffer overflow in fuzzing harness (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1656257229" data-permission-text="Title is private" data-url="https://github.com/github/cmark-gfm/issues/326" data-hovercard-type="pull_request" data-hovercard-url="/github/cmark-gfm/pull/326/hovercard" href="https://github.com/github/cmark-gfm/pull/326">#326</a>)</li>
</ul>
<p>Note: these changes may lead to minor changes in expected output on plaintext rendering of list items. Notably, blank lines may no longer delineate the start of a list when rendering to plaintext due to changes in how the tight list status is calculated.</p>anticomputertag:github.com,2008:Repository/75244322/0.29.0.gfm.102023-03-31T17:57:17Z0.29.0.gfm.10<p><strong>Changes since last release</strong> (<a class="commit-link" href="https://github.com/github/cmark-gfm/compare/0.29.0.gfm.9...0.29.0.gfm.10"><tt>0.29.0.gfm.9...0.29.0.gfm.10</tt></a>):</p>
<ul>
<li>Fixed polynomial time complexity issue per<br>
<a title="GHSA-r8vr-c48j-fcc5" href="https://github.com/github/cmark-gfm/security/advisories/GHSA-r8vr-c48j-fcc5">GHSA-r8vr-c48j-fcc5</a></li>
<li>Fixed polynomial time complexity issues per<br>
<a title="GHSA-66g8-4hjf-77xh" href="https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh">GHSA-66g8-4hjf-77xh</a></li>
</ul>
<p>Note: these changes remove redundant bold tag nesting which may result<br>
in existing rendering tests failing, e.g. rendering <code>____bold____</code> to html<br>
will no longer yield <code><p><strong><strong>bold</strong></strong></p></code>.</p>anticomputertag:github.com,2008:Repository/75244322/0.29.0.gfm.92023-02-03T16:47:07Z0.29.0.gfm.9<p><strong>Changes since last release</strong> (<a class="commit-link" href="https://github.com/github/cmark-gfm/compare/0.29.0.gfm.8...0.29.0.gfm.9"><tt>0.29.0.gfm.8...0.29.0.gfm.9</tt></a>):</p>
<p>Code was tidied:</p>
<ul>
<li>Use of a private header was cleaned up <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1063937575" data-permission-text="Title is private" data-url="https://github.com/github/cmark-gfm/issues/248" data-hovercard-type="pull_request" data-hovercard-url="/github/cmark-gfm/pull/248/hovercard" href="https://github.com/github/cmark-gfm/pull/248">#248</a></li>
<li>Man page was update <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1106370640" data-permission-text="Title is private" data-url="https://github.com/github/cmark-gfm/issues/255" data-hovercard-type="pull_request" data-hovercard-url="/github/cmark-gfm/pull/255/hovercard" href="https://github.com/github/cmark-gfm/pull/255">#255</a></li>
<li>Warnings for <code>-Wstrict-prototypes</code> were cleaned up <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1409223432" data-permission-text="Title is private" data-url="https://github.com/github/cmark-gfm/issues/285" data-hovercard-type="pull_request" data-hovercard-url="/github/cmark-gfm/pull/285/hovercard" href="https://github.com/github/cmark-gfm/pull/285">#285</a></li>
<li>We avoid header duplication <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1423432187" data-permission-text="Title is private" data-url="https://github.com/github/cmark-gfm/issues/289" data-hovercard-type="pull_request" data-hovercard-url="/github/cmark-gfm/pull/289/hovercard" href="https://github.com/github/cmark-gfm/pull/289">#289</a></li>
</ul>
<p>New functionality:</p>
<ul>
<li>We now store positioning info for <code>url_match</code> <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="652972204" data-permission-text="Title is private" data-url="https://github.com/github/cmark-gfm/issues/201" data-hovercard-type="pull_request" data-hovercard-url="/github/cmark-gfm/pull/201/hovercard" href="https://github.com/github/cmark-gfm/pull/201">#201</a></li>
<li>We now expose <code>cmark_parent_footnote_def</code> for non-C renderers <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1105520249" data-permission-text="Title is private" data-url="https://github.com/github/cmark-gfm/issues/254" data-hovercard-type="pull_request" data-hovercard-url="/github/cmark-gfm/pull/254/hovercard" href="https://github.com/github/cmark-gfm/pull/254">#254</a></li>
<li>Footnote <code>aria-label</code> text now reference the specific footnote backref, and we include a <code>data-footnote-backref-idx</code> attribute so the label can be internationalized in a downstream filter <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1557274599" data-permission-text="Title is private" data-url="https://github.com/github/cmark-gfm/issues/307" data-hovercard-type="pull_request" data-hovercard-url="/github/cmark-gfm/pull/307/hovercard" href="https://github.com/github/cmark-gfm/pull/307">#307</a></li>
</ul>phillmvtag:github.com,2008:Repository/75244322/0.29.0.gfm.82023-01-25T20:04:47Z0.29.0.gfm.8<p><strong>Changes since last release</strong> (<a class="commit-link" href="https://github.com/github/cmark-gfm/compare/0.29.0.gfm.7...0.29.0.gfm.8"><tt>0.29.0.gfm.7...0.29.0.gfm.8</tt></a>):</p>
<ul>
<li>We restored backwards compatibility by deprecating the <code>cmark_init_standard_node_flags()</code> requirement, which is now a noop (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1555807586" data-permission-text="Title is private" data-url="https://github.com/github/cmark-gfm/issues/305" data-hovercard-type="pull_request" data-hovercard-url="/github/cmark-gfm/pull/305/hovercard" href="https://github.com/github/cmark-gfm/pull/305">#305</a>)</li>
<li>We added a quadratic complexity fuzzing target (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1555480285" data-permission-text="Title is private" data-url="https://github.com/github/cmark-gfm/issues/304" data-hovercard-type="pull_request" data-hovercard-url="/github/cmark-gfm/pull/304/hovercard" href="https://github.com/github/cmark-gfm/pull/304">#304</a>)</li>
</ul>anticomputertag:github.com,2008:Repository/75244322/0.29.0.gfm.72023-01-24T14:23:07Z0.29.0.gfm.7<p><strong>Changes since last release</strong> (<a class="commit-link" href="https://github.com/github/cmark-gfm/compare/0.29.0.gfm.6...0.29.0.gfm.7"><tt>0.29.0.gfm.6...0.29.0.gfm.7</tt></a>):</p>
<ul>
<li>Fixed <a href="https://github.com/github/cmark-gfm/security/advisories/GHSA-r572-jvj2-3m8p">CVE-2023-22486</a>, a polynomial time complexity issue in cmark-gfm which may lead to unbounded resource exhaustion and subsequent denial of service.</li>
<li>Fixed <a href="https://github.com/github/cmark-gfm/security/advisories/GHSA-c944-cv5f-hpvr">CVE-2023-22485</a>, in which a crafted markdown document could trigger an out-of-bounds read in the validate_protocol function.</li>
<li>Fixed <a href="https://github.com/github/cmark-gfm/security/advisories/GHSA-24f7-9frr-5h2r">CVE-2023-22484</a>, a polynomial time complexity issue in cmark-gfm which may lead to unbounded resource exhaustion and subsequent denial of service.</li>
<li>Fixed <a href="https://github.com/github/cmark-gfm/security/advisories/GHSA-29g3-96g3-jg6c">CVE-2023-22483</a>, several polynomial time complexity issues in cmark-gfm which may lead to unbounded resource exhaustion and subsequent denial of service.</li>
<li>We removed an unneeded .DS_Store file (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1431830067" data-permission-text="Title is private" data-url="https://github.com/github/cmark-gfm/issues/291" data-hovercard-type="pull_request" data-hovercard-url="/github/cmark-gfm/pull/291/hovercard" href="https://github.com/github/cmark-gfm/pull/291">#291</a>)</li>
<li>We added a test for domains with underscores and fix roundtrip behavior (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1433875508" data-permission-text="Title is private" data-url="https://github.com/github/cmark-gfm/issues/292" data-hovercard-type="pull_request" data-hovercard-url="/github/cmark-gfm/pull/292/hovercard" href="https://github.com/github/cmark-gfm/pull/292">#292</a>)</li>
<li>We now use an up-to-date clang-format (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1444098396" data-permission-text="Title is private" data-url="https://github.com/github/cmark-gfm/issues/294" data-hovercard-type="pull_request" data-hovercard-url="/github/cmark-gfm/pull/294/hovercard" href="https://github.com/github/cmark-gfm/pull/294">#294</a>)</li>
<li>We made a variety of implicit integer truncations explicit by moving to size_t as our standard size integer type (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1553780681" data-permission-text="Title is private" data-url="https://github.com/github/cmark-gfm/issues/302" data-hovercard-type="pull_request" data-hovercard-url="/github/cmark-gfm/pull/302/hovercard" href="https://github.com/github/cmark-gfm/pull/302">#302</a>)</li>
<li>We introduced a new flag mechanism that is used in cmark node state management, which requires clients call the <code>cmark_init_standard_node_flags</code> function at program startup (<a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/github/cmark-gfm/commit/420c20a112acd75af463d8930d8d59f2d25e9cd5/hovercard" href="https://github.com/github/cmark-gfm/commit/420c20a112acd75af463d8930d8d59f2d25e9cd5"><tt>420c20a</tt></a>)</li>
</ul>
<p>The security issues were reported and resolved by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/kevinbackhouse/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/kevinbackhouse">@kevinbackhouse</a> and <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/philipturnbull/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/philipturnbull">@philipturnbull</a> of the <a href="https://securitylab.github.com/">GitHub Security Lab</a></p>anticomputertag:github.com,2008:Repository/75244322/0.29.0.gfm.62022-09-15T13:41:44Z0.29.0.gfm.6<p><strong>Changes since last release</strong> (<a class="commit-link" href="https://github.com/github/cmark-gfm/compare/0.29.0.gfm.5...0.29.0.gfm.6"><tt>0.29.0.gfm.5...0.29.0.gfm.6</tt></a>):</p>
<ul>
<li>Fixed polynomial time complexity DoS vulnerability in autolink extension per <a href="https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q">GHSA-cgh3-p57x-9q7q</a></li>
</ul>anticomputertag:github.com,2008:Repository/75244322/0.29.0.gfm.52022-08-25T01:35:34Z0.29.0.gfm.5<p>Changes since last release (<a class="commit-link" href="https://github.com/github/cmark-gfm/compare/0.29.0.gfm.4...0.29.0.gfm.5"><tt>0.29.0.gfm.4...0.29.0.gfm.5</tt></a>):</p>
<ul>
<li>Added <code>xmpp:</code> and <code>mailto:</code> support to the autolink extension</li>
</ul>stevenlaidlawtag:github.com,2008:Repository/75244322/0.29.0.gfm.42022-05-31T13:25:10Z0.29.0.gfm.4<p>Changes since last release (<a class="commit-link" href="https://github.com/github/cmark-gfm/compare/0.29.0.gfm.3...0.29.0.gfm.4"><tt>0.29.0.gfm.3...0.29.0.gfm.4</tt></a>):</p>
<ul>
<li>Remove <code>source</code> from list of HTML block elements per <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1238909257" data-permission-text="Title is private" data-url="https://github.com/commonmark/commonmark-spec/issues/710" data-hovercard-type="pull_request" data-hovercard-url="/commonmark/commonmark-spec/pull/710/hovercard" href="https://github.com/commonmark/commonmark-spec/pull/710">commonmark/commonmark-spec#710</a></li>
</ul>lumaxis