Skip to content

[Snyk] Upgrade highlight.js from 11.9.0 to 11.11.1#8

Open
Dustin4444 wants to merge 1 commit into
mainfrom
snyk-upgrade-8f3c09e93aeab59011c7cc1eaeaaf020
Open

[Snyk] Upgrade highlight.js from 11.9.0 to 11.11.1#8
Dustin4444 wants to merge 1 commit into
mainfrom
snyk-upgrade-8f3c09e93aeab59011c7cc1eaeaaf020

Conversation

@Dustin4444

Copy link
Copy Markdown
Member

snyk-top-banner

Snyk has created this PR to upgrade highlight.js from 11.9.0 to 11.11.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.


  • The recommended version is 3 versions ahead of your current version.

  • The recommended version was released 10 months ago.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-CROSSSPAWN-8303230
222 Proof of Concept
medium severity Inefficient Regular Expression Complexity
SNYK-JS-MICROMATCH-6838728
222 No Known Exploit
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-PATHTOREGEXP-7925106
222 Proof of Concept
low severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-BRACEEXPANSION-9789073
222 Proof of Concept
low severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-BRACEEXPANSION-9789073
222 Proof of Concept
Release notes
Package name: highlight.js
  • 11.11.1 - 2024-12-25

    Version 11.11.1

    • Fixes regressions with Rust grammar in 11.11.0 release.
  • 11.11.0 - 2024-12-14

    Version 11.11.0

    CAVEATS / POTENTIALLY BREAKING CHANGES

    • Nothing.

    Core Grammars:

    • fix(rust) - adds emoji support in single quote strings [joshgoebel][]
    • fix(apache) - support line continuation via \ Josh Goebel
    • fix(makefile) - allow strings inside $() expressions aneesh98
    • enh(arcade) updated to ArcGIS Arcade version 1.29 Kristian Ekenes
    • enh(css) add all properties listed on MDN (96 additions including anchor-name, aspect-ratio, backdrop-filter, container, margin-trim, place-content, scroll-timeline, ...) BaliBalo
    • enh(excel) add built-in functions for Excel 365 release to 2024 Danny Winrow
    • enh(erlang) OTP 27 triple-quoted strings nixxquality
    • enh(erlang) OTP 27 doc attribute nixxquality
    • enh(erlang) OTP 27 Sigil type nixxquality
    • enh(erlang) OTP25/27 maybe statement nixxquality
    • enh(dart) Support digit-separators in number literals [Sam Rawlins][]
    • enh(csharp) add Contextual keywords file, args, dynamic, record, required and scoped Alvin Joy
    • enh(lua) add 'pluto' as an alias Sainan
    • enh(bash) add reserved keywords time and coproc Álvaro Mondéjar
    • enh(nix) update keywords [h7x4][]
    • enh(nix) support paths [h7x4][]
    • enh(nix) support lookup paths [h7x4][]
    • enh(nix) support operators [h7x4][]
    • enh(nix) support REPL keywords [h7x4][]
    • enh(nix) support markdown comments [h7x4][]
    • enh(nix) support basic function params [h7x4][]
    • enh(nix) better parsing of attrsets [h7x4][]
    • fix(c) - Fixed hex numbers with decimals Dxuian
    • fix(typescript) - Fixedoptional property not highlighted correctly Dxuian
    • fix(ruby) - fix |= operator false positives (as block arguments) Aboobacker MK
    • enh(gcode) rewrote language for modern gcode support Barthélémy Bonhomme
    • fix(sql) - Fixed sql primary key and foreign key spacing issue Dxuian
    • fix(cpp) added flat_set and flat_map as a part of cpp 23 version Lavan
    • fix(yaml) - Fixed special chars in yaml Dxuian
    • fix(basic) - Fixed closing quotation marks not required for a PRINT statement Somya
    • fix(nix) remove add builtin [h7x4][]
    • fix(nix) mark or as builtin instead of literal [h7x4][]
    • fix(nix) handle ''' string escapes [h7x4][]
    • fix(nix) handle backslash string escapes [h7x4][]
    • fix(nix) don't mix escapes for " and '' strings [h7x4][]
    • fix(swift) - Fixed syntax highlighting for class func/var declarations guuido
    • fix(yaml) - Fixed wrong escaping behavior in single quoted strings guuido
    • enh(nim) - Add concept and defer to list of Nim keywords Jake Leahy

    New Grammars:

    • added 3rd party TTCN-3 grammar to SUPPORTED_LANGUAGES Osmocom
    • added 3rd party Odin grammar to SUPPORTED_LANGUAGES clsource
    • added 3rd party Liquid grammar to SUPPORTED_LANGUAGES Laurel King

    Developer Tools:

    • Nothing yet.

    Themes:

    Improvements:

    • Resolve the memory leak problem when creating multiple Highlight.js instances Imken

    CONTRIBUTORS

  • 11.10.0 - 2024-07-06

    Sorry for the wait, this one is a doozie, thanks to all the contributors who made it possible!


    CAVEATS / POTENTIALLY BREAKING CHANGES

    Important

    This version drops support for Node 16.x, which is no longer supported by Node.js.


    Core Grammars:

    • enh(typescript) add support for satisfies operator Kisaragi Hiu
    • enc(c) added more C23 keywords Melkor-1
    • enh(json) added jsonc as an alias BackupMiles
    • enh(gml) updated to latest language version (GML v2024.2) gnysek
    • enh(c) added more C23 keywords and preprcoessor directives Eisenwave
    • enh(js/ts) support namespaced tagged template strings Aral Balkan
    • enh(perl) fix false-positive variable match at end of string Josh Goebel
    • fix(cpp) not all kinds of number literals are highlighted correctly Lê Duy Quang
    • fix(css) fix overly greedy pseudo class matching Bradley Mackey
    • enh(arcade) updated to ArcGIS Arcade version 1.24 Kristian Ekenes
    • fix(typescript): params types Mohamed Ali
    • fix(rust) fix escaped double quotes in string Mohamed Ali
    • fix(rust) fix for r# raw identifier not being highlighted correctly. JaeBaek Lee
    • enh(rust) Adding union to be recognized as a keyword in Rust. JaeBaek Lee
    • fix(yaml) fix for yaml with keys having brackets highlighted incorrectly Aneesh Kulkarni
    • fix(csharp) add raw string highlighting for C# 11. Tara
    • fix(bash) fix # within token being detected as the start of a comment Felix Uhl
    • fix(python) fix or conflicts with string highlighting Mohamed Ali
    • enh(python) adds a scope to the self variable [Lee Falin][]
    • enh(delphi) allow digits to be omitted for hex and binary literals Jonah Jeleniewski
    • enh(delphi) add support for digit separators Jonah Jeleniewski
    • enh(delphi) add support for character strings with non-decimal numerics Jonah Jeleniewski
    • fix(javascript) incorrect function name highlighting CY Fung
    • fix(1c) fix escaped symbols "+-;():=,[]" literals Vitaly Barilko
    • fix(swift) correctly highlight generics and conformances in type definitions Bradley Mackey
    • enh(swift) add package keyword Bradley Mackey
    • fix(swift) ensure keyword attributes highlight correctly Bradley Mackey
    • fix(types) fix interface LanguageDetail > keywords Patrick Chiu
    • enh(java) add goto to be recognized as a keyword in Java Alvin Joy
    • enh(bash) add keyword sudo Alvin Joy
    • fix(haxe) captures new keyword without capturing it within variables/class names Cameron Taylor
    • fix(go) fix go number literals to accept _ separators, add hex p exponents Lisa Ugray
    • enh(markdown) add entity support David Schach TaraLei
    • enh(css) add justify-items and justify-self attributes Vasily Polovnyov
    • enh(css) add accent-color, appearance, color-scheme, rotate, scale and translate attributes Carl Räfting
    • fix(fortran) fixes parsing of keywords delimited by dots Julien Bloino
    • enh(css) add select, option, optgroup, picture and source to list of known tags Vasily Polovnyov
    • enh(css) add inset, inset-*, border-start-*-radius and border-end-*-radius attributes Vasily Polovnyov
    • enh(css) add text-decoration-skip-ink, text-decoration-thickness and text-underline-offset attributes Vasily Polovnyov

    New Grammars:

    • added 3rd party CODEOWNERS grammar to SUPPORTED_LANGUAGES nataliia-radina
    • added 3rd party Luau grammar to SUPPORTED_LANGUAGES Robloxian Demo
    • added 3rd party ReScript grammar to SUPPORTED_LANGUAGES Paul Tsnobiladzé
    • added 3rd party Zig grammar to SUPPORTED_LANGUAGES [Hyou BunKen][]
    • added 3rd party WGSL grammar to SUPPORTED_LANGUAGES Arman Uguray
    • added 3rd party Unison grammar to SUPPORTED_LANGUAGES Rúnar Bjarnason
    • added 3rd party Phix grammar to SUPPORTED_LANGUAGES PeteLomax
    • added 3rd party Mirth grammar to SUPPORTED_LANGUAGES Sierra
    • added 3rd party JSONata grammar to SUPPORTED_LANGUAGES Vlad Dimov

    Developer Tool:

    Themes:

    • Added 1c-light theme a like in the IDE 1C:Enterprise 8 (for 1c) Vitaly Barilko
  • 11.9.0 - 2023-10-09

    Version 11.9.0

    CAVEATS / POTENTIALLY BREAKING CHANGES

    • Drops support for Node 14.x, which is no longer supported by Node.js.
    • In the node build styles/*.css files now ship un-minified
      with minified counterparts as: styles/*.min.css mvorisek
      (this makes things consistent with our cdn builds)

    Parser:

    • (enh) prevent re-highlighting of an element [joshgoebel][]
    • (chore) Remove discontinued badges from README Bradley Mackey
    • (chore) Fix build size report Bradley Mackey

    New Grammars:

    • added 3rd party Iptables grammar to SUPPORTED_LANGUAGES Checconio
    • added 3rd party x86asmatt grammar to SUPPORTED_LANGUAGES gondow
    • added 3rd party riscv64 grammar to SUPPORTED_LANGUAGES aana-h2
    • added 3rd party Ballerina grammar to SUPPORTED_LANGUAGES Yasith Deelaka

    Core Grammars:

    • fix(rust) added negative-lookahead for callable keywords if while for [Omar Hussein][]
    • enh(armasm) added x0-x30 and w0-w30 ARMv8 registers Nicholas Thompson
    • enh(haxe) added final, is, macro keywords and $ identifiers Robert Borghese
    • enh(haxe) support numeric separators and suffixes Robert Borghese
    • fix(haxe) fixed metadata arguments and support non-colon syntax Robert Borghese
    • fix(haxe) differentiate abstract declaration from keyword Robert Borghese
    • fix(bash) do not delimit a string by an escaped apostrophe [hancar][]
    • enh(swift) support macro keyword Bradley Mackey
    • enh(swift) support parameter pack keywords Bradley Mackey
    • enh(swift) regex literal support Bradley Mackey
    • enh(swift) @ unchecked and @ Sendable support Bradley Mackey
    • enh(scala) add using directives support //> using foo bar [Jamie Thompson][]
    • fix(scala) fixed comments in constructor arguments not being properly highlighted Isaac Nonato
    • enh(swift) ownership modifiers support Bradley Mackey
    • enh(nsis) Add !assert compiler flag [idleberg][]
    • fix(haskell) do not treat double dashes inside infix operators as comments [Zlondrej][]
    • enh(rust) added eprintln! macro qoheniac
    • enh(leaf) update syntax to 4.0 Samuel Bishop
    • fix(reasonml) simplify syntax and align it with ocaml jchavarri
    • fix(swift) warn_unqualified_access is an attribute Bradley Mackey
    • enh(swift) macro attributes are highlighted as keywords Bradley Mackey
    • enh(stan) updated for version 2.33 (#3859) Brian Ward
    • fix(css) added '_' css variable detection Md Saad Akhtar
    • enh(groovy) add record and var as keywords Guillaume Laforge

    Developer Tool:

from highlight.js GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

Snyk has created this PR to upgrade highlight.js from 11.9.0 to 11.11.1.

See this package in npm:
highlight.js

See this project in Snyk:
https://app.snyk.io/org/dustin4444/project/e7544824-e775-43f4-b576-583eba5c654b?utm_source=github&utm_medium=referral&page=upgrade-pr
@coderabbitai

coderabbitai Bot commented Oct 19, 2025

Copy link
Copy Markdown

Important

Review skipped

Ignore keyword(s) in the title.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch snyk-upgrade-8f3c09e93aeab59011c7cc1eaeaaf020

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@gemini-code-assist

Copy link
Copy Markdown

Summary of Changes

Hello @Dustin4444, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request updates the highlight.js dependency to its latest stable version, 11.11.1. The primary motivation for this upgrade is to address critical security vulnerabilities, particularly several Regular Expression Denial of Service (ReDoS) issues, and to incorporate a wide array of improvements and new features. These changes will enhance the robustness and functionality of syntax highlighting within the project, ensuring better security and broader language support.

Highlights

  • Dependency Upgrade: The highlight.js library has been upgraded from version 11.9.0 to 11.11.1.
  • Security Fixes: This update resolves several security vulnerabilities, including high-severity Regular Expression Denial of Service (ReDoS) issues and medium-severity Inefficient Regular Expression Complexity.
  • Grammar Enhancements: Numerous programming language grammars have received enhancements and fixes, improving syntax highlighting accuracy and coverage for languages like Rust, CSS, C#, TypeScript, and many others.
  • New Language Support: New grammars for languages such as TTCN-3, Odin, Liquid, Luau, and Zig have been added, expanding the range of supported languages.
  • Node.js Support Changes: Version 11.10.0 dropped support for Node.js 16.x, and the preceding 11.9.0 version dropped support for Node.js 14.x.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request, generated by Snyk, upgrades highlight.js from version 11.9.0 to 11.11.1. This is a crucial security update that patches several vulnerabilities, including a high-severity Regular Expression Denial of Service (ReDoS) issue. I have reviewed the changes and the release notes, and the upgrade appears safe to merge. It is a minor version bump with no breaking changes that should impact this project. The change is correct and necessary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants