chore(deps): update dependency katex to ^0.13.3 || ^0.16.0 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
katex (source)	^0.13.3 → ^0.13.3 || ^0.16.0

GitHub Vulnerability Alerts

CVE-2024-28245

Impact

KaTeX users who render untrusted mathematical expressions could encounter malicious input using \includegraphics that runs arbitrary JavaScript, or generate invalid HTML.

Patches

Upgrade to KaTeX v0.16.10 to remove this vulnerability.

Workarounds

• Avoid use of or turn off the trust option, or set it to forbid \includegraphics commands.
• Forbid inputs containing the substring "\\includegraphics".
• Sanitize HTML output from KaTeX.

Details

\includegraphics did not properly quote its filename argument, allowing it to generate invalid or malicious HTML that runs scripts.

For more information

If you have any questions or comments about this advisory:

• Open an issue or security advisory in the KaTeX repository
• Email us at katex-security@mit.edu

CVE-2024-28246

Impact

Code that uses KaTeX's trust option, specifically that provides a function to block-list certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generate javascript: links in the output, even if the trust function tries to forbid this protocol via trust: (context) => context.protocol !== 'javascript'.

Patches

Upgrade to KaTeX v0.16.10 to remove this vulnerability.

Workarounds

• Allow-list instead of block protocols in your trust function.
• Manually lowercase context.protocol via context.protocol.toLowerCase() before attempting to check for certain protocols.
• Avoid use of or turn off the trust option.

Details

KaTeX did not normalize the protocol entry of the context object provided to a user-specified trust-function, so it could be a mix of lowercase and/or uppercase letters.

It is generally better to allow-list by protocol, in which case this would normally not be an issue. But in some cases, you might want to block-list, and the KaTeX documentation even provides such an example:

Allow all commands but forbid specific protocol: trust: (context) => context.protocol !== 'file'

Currently KaTeX internally sees file: and File: URLs as different protocols, so context.protocol can be file or File, so the above check does not suffice. A simple workaround would be:

trust: (context) => context.protocol.toLowerCase() !== 'file'

Most URL parsers normalize the scheme to lowercase. For example, RFC3986 says:

Although schemes are case-insensitive, the canonical form is lowercase and documents that specify schemes must do so with lowercase letters. An implementation should accept uppercase letters as equivalent to lowercase in scheme names (e.g., allow "HTTP" as well as "http") for the sake of robustness but should only produce lowercase scheme names for consistency.

---

Release Notes

KaTeX/KaTeX (katex)

v0.16.28

Compare Source

Bug Fixes

• type: add missing types definition path to package.json (#​4125) (0ef8921)

v0.16.27

Compare Source

Features

• support equals sign and surrounding whitespace in \htmlData attribute values (#​4112) (c77aaec)

v0.16.26

Compare Source

Bug Fixes

• \mathop followed by integral symbol (6fbad18)

v0.16.25

Compare Source

Features

• css: provide katex-swap.css that uses font-display: swap (#​3940) (b3f9ce6), closes #​2242

v0.16.24

Compare Source

Features

• support hex colors with alpha (#​4090) (8c9b306), closes #​4067 #fA6 #fA6f1

v0.16.23

Compare Source

Bug Fixes

• Support \def with arguments via macros option (#​4087) (80a8158)

v0.16.22

Compare Source

Bug Fixes

• \relax in base or exponent of super/subscript (#​4045) (1f43c84)

v0.16.21

Compare Source

Bug Fixes

• escape \htmlData attribute name (57914ad)

v0.16.20

Compare Source

Bug Fixes

• \providecommand does not overwrite existing macro (#​4000) (6d30fe4), closes #​3928

v0.16.19

Compare Source

Bug Fixes

• types: improve strict function type (#​4009) (4228b4e)

v0.16.18

Compare Source

Bug Fixes

• Actually publish TypeScript type definitions (#​4008) (629b873)

v0.16.17

Compare Source

Bug Fixes

• MathML combines multidigit numbers with sup/subscript, comma separators, and multicharacter text when outputting to DOM (#​3999) (7d79e22), closes #​3995

v0.16.16

Compare Source

Features

• ESM exports, TypeScript types (#​3992) (ea9c173)

v0.16.15

Compare Source

Features

• italic sans-serif in math mode via \mathsfit command (#​3998) (2218901)

v0.16.14

Compare Source

Features

• \dddot and \ddddot support (#​3834) (bda35cd), closes #​2744

v0.16.13

Compare Source

Bug Fixes

• \vdots and \rule support in text mode (#​3997) (0e08352), closes #​3990

v0.16.12

Compare Source

Features

• css: configurable margin for display math (#​3638) (3405001)

v0.16.11

Compare Source

Features

• add \emph (#​3963) (9f34da4), closes #​3566

v0.16.10

Compare Source

Bug Fixes

• \edef bypassing maxExpand via exponential blowup (e88b4c3)
• escape \includegraphics src and alt (c5897fc)
• force protocol to be lowercase for better protocol filtering (fc5af64), closes /datatracker.ietf.org/doc/html/rfc3986#section-3
• maxExpand limit with Unicode sub/superscripts (085e21b)

v0.16.9

Compare Source

Features

• Support bold Fraktur (#​3777) (240d5ae)

v0.16.8

Compare Source

Features

• expose error length and raw error message on ParseError (#​3820) (710774a)

v0.16.7

Compare Source

Bug Fixes

• docs/support_table.md: delete redundant "varPsi" (#​3814) (33a1b98)

v0.16.6

Compare Source

Bug Fixes

• Support \let via macros option (#​3738) (bdb0be2), closes #​3737 #​3737

v0.16.5

Compare Source

Features

• __defineFunction API exposing internal defineFunction (#​3805) (c7b1f84), closes #​3756

v0.16.4

Compare Source

Bug Fixes

• space should prevent optional argument to \ (#​3746) (a0deb34), closes #​3745

v0.16.3

Compare Source

Bug Fixes

• \hline after \cr (#​3735) (ebf6bf5), closes #​3734

v0.16.2

Compare Source

Features

• css: provide katex-swap.css that uses font-display: swap (#​3940) (b3f9ce6), closes #​2242

v0.16.1

Compare Source

Bug Fixes

• types: improve strict function type (#​4009) (4228b4e)

v0.16.0

Compare Source

Bug Fixes

• copy-tex: Use JS (instead of CSS) to select full equation, solving display glitches (#​3586) (8c2d852)

BREAKING CHANGES

• copy-tex: copy-tex extension no longer has (or requires) a CSS file.

0.15.6 (2022-05-20)

Features

• Support \Braket, \set, and \Set (#​3214) (9e3ae4d)

0.15.5 (2022-05-20)

Bug Fixes

• Avoid crash when \ce{} is empty (#​3627) (4865e45)

0.15.4 (2022-05-20)

Features

• Support Unicode (sub|super)script characters (#​3633) (d8fc35e)

0.15.3 (2022-03-13)

Bug Fixes

• Apply operator spacing to Unicode ∙ ∘ ∖ (#​3584) (b362fc0)

0.15.2 (2022-01-12)

Bug Fixes

• \mathinner MathML when invoked as a denominator. (#​3501) (1f85125), closes #​3500

0.15.1 (2021-10-31)

Features

• \nonumber/\notag support, \tag per row of {align} (#​2952) (52c4778), closes #​2950 #​2379

v0.15.6

Compare Source

Features

• Support \Braket, \set, and \Set (#​3214) (9e3ae4d)

v0.15.5

Compare Source

Bug Fixes

• Avoid crash when \ce{} is empty (#​3627) (4865e45)

v0.15.4

Compare Source

Features

• Support Unicode (sub|super)script characters (#​3633) (d8fc35e)

v0.15.3

Compare Source

Bug Fixes

• Apply operator spacing to Unicode ∙ ∘ ∖ (#​3584) (b362fc0)

v0.15.2

Compare Source

Bug Fixes

• \mathinner MathML when invoked as a denominator. (#​3501) (1f85125), closes #​3500

v0.15.1

Compare Source

Features

• \nonumber/\notag support, \tag per row of {align} (#​2952) (52c4778), closes #​2950 #​2379

v0.15.0

Compare Source

Features

• implement \relax as no-op function (#​3384) (40109f6)

BREAKING CHANGES

• \relax is now implemented as a function. It'll stop
  expansions and parsing, so the behavior around \relax may change.
  For example, \kern2\relax em will no longer work.

0.14.1 (2021-10-30)

Bug Fixes

• Settings: use schema (#​3375) (b58a432)

v0.14.1

Compare Source

Bug Fixes

• Settings: use schema (#​3375) (b58a432)

v0.14.0

Compare Source

Features

• conditionally export ECMAScript modules (#​3377) (15ee9b4)

BREAKING CHANGES

• With module loaders that support conditional exports
  and ECMAScript modules, import katex from 'katex'; will import the
  ECMAScript module.

You can now use:

Before	After
require('katex/dist/contrib/[name].js')	require('katex/contrib/[name]')
import katex from 'katex/dist/katex.mjs'	import katex from 'katex'
import 'katex/dist/contrib/[name].mjs'	import 'katex/contrib/[name]'

0.13.24 (2021-10-30)

Bug Fixes

• round dimensions to 4 places (#​2460) (09ee1c8)

0.13.23 (2021-10-30)

Bug Fixes

• fonts: correct width of \cong glyph, fix \boldsymbol{\cong} (#​3206) (35db4ff), closes #​2199

0.13.22 (2021-10-30)

Bug Fixes

• deps: update dependency commander to v8 [skip netlify] (#​3374) (4df1922)

0.13.21 (2021-10-29)

Bug Fixes

• fonts: fix the timestamp of fonts to the epoch (#​3370) (dde05db)

0.13.20 (2021-10-26)

Performance Improvements

• Avoid vertical-align:0em style (#​3358) (6d6d627), closes #​3351

0.13.19 (2021-10-26)

Features

• cli: --trust flag for trusting cli input (#​3339) (503f7d7), closes #​2428

0.13.18 (2021-09-02)

Features

• unicode support for minus and asterisk operators (#​3227) (9dbfc1c), closes #​3225

0.13.17 (2021-09-01)

Bug Fixes

• fonts: remove hints from unknown symbols (#​3222) (9420f8a), closes #​3219

0.13.16 (2021-08-28)

Bug Fixes

• \char support for >16-bit Unicode characters (#​3006) (ff1734f), closes #​3004
• remove local macros upon parse error (#​3114) (a6f29e3), closes #​3122

0.13.15 (2021-08-28)

Features

• text-mode cedilla accent via \c (#​3036) (952fb84), closes #​638

0.13.14 (2021-08-28)

Bug Fixes

• fonts: update fonts dependencies (#​2866) (ea409ea)

0.13.13 (2021-07-21)

Bug Fixes

• add namespace for svg, making output XHTML+SVG+MathML compatible (#​2725) (35ff5ac)

0.13.12 (2021-07-21)

Bug Fixes

• Correct invalid box-sizing property, adjusting spacing of \angl (#​3053) (910e523), closes #​3052

0.13.11 (2021-05-14)

Bug Fixes

• matrix environment with zero or inconsistent columns (#​3018) (f779bac), closes #​3017

Features

• Allow text-mode accents in math mode, except in strict mode (#​3009) (0e9acce), closes #​2983

0.13.10 (2021-05-12)

Bug Fixes

• Correct for negative margin in integrand lower limits (#​2987) (9b4acc9)

0.13.9 (2021-05-07)

Bug Fixes

• MathML for stretchy accents. #​2990 (#​2991) (1cb6279)

0.13.8 (2021-05-06)

Features

• \operatornamewithlimits (and clean up \operatorname support) (#​2984) (e9b751b)

0.13.7 (2021-05-06)

Bug Fixes

• binom delimiter size in scriptscriptstyle. (#​2976) (980b004)

0.13.6 (2021-05-06)

Bug Fixes

• Correctly parse \ followed by whitespace (#​2877) (c85250d), closes #​2860

0.13.5 (2021-05-02)

Bug Fixes

• Support \S and \P in math mode (#​2977) (3f7163d)

0.13.4 (2021-05-02)

Bug Fixes

• Avoid crash when \operatorname has \limits (#​2979) (fbda0b1)

0.13.3 (2021-04-24)

Bug Fixes

• Respect catcode in macro expansion and set ~'s catcode correctly (#​2949) (01ae7f8), closes #​2924
• array: Keep single empty row in AMS environments (#​2947) (24332e0), closes #​2944

0.13.2 (2021-04-06)

Bug Fixes

• update version and SRI in dist/README.md (#​2905) (319c52d)

0.13.1 (2021-04-05)

Bug Fixes

• Protect fraction bars from CSS border-color (#​2870) (2f62c0d)

[v0.13.0]

See #​2490 for breaking changes and migration guide!

Bug Fixes

• fix: Remove topEnv parameter. (#​2712)
• fix(builder): combine characters together in all expressions (#​2080)
• fix: Prevent global group from adversely affecting color. (#​2703)
• fix: Use SVGs to avoid gaps in tall delimiters. (#​2698)
• fix: rewrite of splitAtDelimiters.js -- new fix for #​2523 (#​2679)
• fix: Improve MathML for math operators with subscripts (#​2596)
• fix: Remove premature CD screenshotter images (#​2641)
• fix: Support Armenian characters (#​2618)
• fix: MathML \lim\limits in Safari (#​2556)
• fix: Support MathML \oiint and \oiiint (#​2461)
• fix: \injlim typo (#​2459)

Features

• feat: Support \underbar (#​2713)
• feat: Add {CD} to auto-render. (#​2710)
• feat: Set Auto-render to recognize AMS environments without $$…$$ delimiters. (#​2701)
• feat: Support {CD} (#​2396)
• feat: Support \vcenter and \hbox (#​2452)
• feat(function): add allowedInArgument instead of greediness property (#​2134)
• feat: Support matrix*, pmatrix*, bmatrix*, Bmatrix*, vmatrix*, and Vmatrix*. (#​2488)
• feat(macro): improve argument parsing (#​2085)
• feat: support AMS log-like symbols (#​2429)
• feat: support Unicode ◯, U+25EF (#​2430)
• feat: Support \phase (#​2406)
• feat: Support \mathstrut (#​2416)
• feat: support {equation}, {equation*}, and {split} (#​2369)
• feat(css): use postcss-preset-env (#​2313)
• feat: support {align}, {align*}, {alignat}, and {alignat*} (#​2341)
• Support {gather} and {gather*} (#​2183)
• feat: support MathML \big, \bigg, \Big, and \Bigg (#​2332)
• feat: support \angl and \angln (#​2334)
• Support \origof and \imageof (#​2283)

Documentation

• docs: Add TiddlyWiki to list of users (#​2765)
• docs: Fix fallback CSS classes (#​2809)
• docs: Rearrange environment documentation. (#​2700)
• docs: Explain how to make macros persist. (#​2702)
• docs: Revise placement of colonequals in Relations table (#​2704)
• docs: delete stray backtick (#​2680)
• docs: Add colonequals functions to docs (#​2651)
• docs: add new user link (#​2597)
• fix: typo in example on homepage (#​2577)
• docs: Add \char to support_table. (#​2620)
• docs: Update \operatorname in supported_table.md 0.12.0 (#​2571)
• docs: Fix documentation typo in operatorname* (#​2570)
• docs: add warning re:defer to mhchem documentation (#​2485)
• docs: update Gatsby logo and link (#​2481)
• docs: add MonsterWriter to the users page (#​2478)
• docs: add comment re: \arrowvert (#​2449)
• docs: add link to Discussions (#​2405)
• Update \color documentation (#​2370)
• docs: add Marker as a KaTeX user (#​2329)

Other Changes

• ci: run screenshotter in container (#​2644)
• ci: setup CodeQL code scanning (#​2645)
• fix(browserslist): remove Chrome 49, Samsung 4, and Node (#​2591)
• chore: add devcontainer.json (#​2545)
• Configure Renovate (#​2493)
• ci: don't persist credentials and run scripts (#​2450)
• build: upgrade Yarn to 2.2.0 (#​2477)
• build: make vscode work with PnP (#​2444)
• refactor: Delete obsolete comment re: mn elements (#​2472)
• test: lint all js files and inline scripts in workflow (#​2442)
• refactor: Delete obsolete comment re: limsup (#​2464)
• ci: migrate to GitHub Actions from CircleCI, allow running Browserstack on forked repo via label (#​2417)
• ci: enable Dependabot for website, submodules, and GitHub Actions (#​2424)
• test: add missing screenshots for safari (#​2423)
• ci: fix Dependabot autofix (#​2400)
• chore: don't include dist in the release commit (#​2385)
• ci: autofix Dependabot commits (#​2394)
• chore(screenshotter): support Browserstack and test on Safari 13.1 (#​2306)
• chore: enable Gitpod (#​2335)
• chore: migrate to Yarn 2 (#​2316)
• test: mock console implementation (#​2363)
• Update LICENSE year (#​2374)
• test(screenshotter): move coverage to Jest (#​2324)
• Fix test/symgroups.js (#​2314)
• Use base revision provided by CircleCI (#​2309)
• Delete bower.json (#​2372)
• Enable a MathML option in the KaTeX demo. (#​2371)
• Create dependabot.yml (#​2311)
• Run screenshotter using Chrome 83 and Firefox 76 (#​2304)

[v0.12.0]

Added

• globalGroup option to place definitions in global scope (#​2091)
• \cal (#​2116)
• {rcases} and {drcases} (#​2149)
• HTML extension (#​2082)
  • HTML extension can be enabled using strict and trust setting. See https://katex.org/docs/options.html for more details. Please review its security implication before enabling the extension.
• \message, \errmessage, and \show for debugging (#​2135)
• bra-ket notation (#​2162)
• \expandafter, \noexpand, \edef, \let, and \long (#​2122)
• Support MathML display mode (#​2220)
• \minuso (#​2213)

Changed

• Update documentation (#​2086, #​2108, #​2107, #​2106, #​2143, #​2178, #​2195, #​2231, #​2239, #​2263, #​2279, #​2289, #​2280. #​2269, #​2294, #​2296, #​2297)
• mathtex-script: Use html 'defer' attribute (#​2069)
• auto-render: do not touch text nodes w/o formulas (#​2154)
• Move \global and \def to functions (#​2138)
• Cleanup font build scripts & font updates (#​2155, #​2171, #​2156)
  • BREAKING CHANGE: old-style numerals are now available via \mathnormal instead of \mathcal
• Upgrade minimum development Node version to v10 (#​2177)

Removed

• BREAKING CHANGE: IE 9/10 support (#​2136)

Fixed

• Set border-collapse: collapse in vlist, fix misalignment in table (#​2103)
• \@​ifnextchar consumes spaces (#​2118)
• Add spacing on left of fleqn display math (#​2127)
• Fix \boxed inherited color (#​2130)
• Fix laps having visible width in Safari (#​1919)
• Improve MathML for corners (#​1922)
• auto-render: ignore "option" tags (#​2180)
• Fix delimiter error message (#​2186)
• Fix under accent depth (#​2252)
• Enable empty environment (#​2258)
• Enable an empty \substack (#​2278)
• Fix jagged parentheses (#​2234)
• \boldsymbol not italic for textords such as Greek (#​2290, #​2299)
• Protect fraction bars from CSS border-color (#​2292)
• Reset to leftmost spacing mode after newline (#​1841)
• Fix missing metrics for space (0x20) and no-break space (0xa0) (#​2298)

[v0.11.1]

Changed

• [Security] Bump mixin-deep from 1.3.1 to 1.3.2 (#​2090)
• [Security] Bump eslint-utils from 1.3.1 to 1.4.2 (#​2089)

Fixed

• Fix parse timing by separating consume() into fetch() and consume() (#​2054)
• Use current font for accents (#​2066)
• Fix \gray's macro definition (#​2075)

[v0.11.0]

Added

• BREAKING CHANGE: trust setting to indicate whether input text is trusted (#​1794)
  • \href and \url will break without adjusting the trust setting
• Add test for double square brackets to katex-spec (#​1956)
• Add option to render only MathML so that its visible (#​1966)
• Support {smallmatrix}, {subarray}, and \substack (#​1969)
• Enable minRuleThickness in rendering options (#​1964)
• Add \plim (#​1952)
• Support Unicode \digamma (#​2010)
• Support \operatorname* (#​1899)
• Support \includegraphics, with appropriate trust setting (#​2053)
• Add render-a11y-string add-on (#​2062)

Changed

• DOC: Fix path to built file (#​1976)
• Remove unclosed TODO comment (#​1979)
• Add "Tutti Quanti Shelf" app to users page (#​1997)
• Document mhchem \cf not supported (use \ce instead) (#​2008)
• Replace greenkeeper badge with dependabot badge (#​2022)
• Add Unicode digamma to documentation (#​2045)
• Add katex-expression to libs page (#​2049)
• Suggest in documentation (#​2052)
• Unicode characters in math render in text mode (#​2040)

Fixed

• Improve output of fonts in MathML (#​1965)
• Fix \pmb (#​1924)
• \color affects following \right, put array cells in their own groups (#​1845)
• Improve MathML for classes (#​1929)
• Prevent gaps in tall delimiters (#​1986)
• Fix \sqrt SVG path (#​2009)
• Do not force sizing groups to display inline-block (#​2044)
• Fix font choice in operators like \log (e.g. \boldsymbol{\log}) (#​2041)
• Fix argument font sizing in \fbox and \raisebox, fix font sizing in \TeX, \LaTeX, \KaTeX (#​1787)

[v0.10.2]

Added

• Approximate font metrics only when metrics don't exist (#​1898)
• Add KaTeX version to stylesheet and troubleshooting guide (#​1893)
• Add symbol double square brackets (#​1947, #​1954)
• Support double-square curly braces (#​1953)

Changed

• Upgrade minimum development Node version to v8 (#​1861)
• Disable @​babel/env debug (#​1874)
• Add issue templates (#​1862)
• Added 'katex-element' (#​1905)
• Fix Users' logo and url (#​1896)
• Load fonts before running screenshotter (#​1891)
• Add Browserstack logo (#​1879)
• Added Android library (#​1943)
• Move custom colors used by Khan into macros.js (#​1933)
• Test for duplicate symbols/macros (#​1955)
• Include extensions mhchem & copy-tex in home-page (#​1932)

Fixed

• Fix \Rho (#​1870)
• Fix nested \dfrac (#​1825)
• Improve MathML accents (#​1877)
• Improve MathML for \overset, \stackrel, and \underset (#​1886)
• Fix \not (U+E020) RBearing (width) (#​1878)
• Fix ApplyFunction character (#​1890)
• Improve MathML for \limits (#​1897)
• Improve MathML for \hphantom and \vphantom (#​1883)
• Improve MathML for \coloneqq, \dblcolon, \eqcolon, and \eqqcolon (#​1889)
• Improve MathML for \brace (#​1884)
• Fix \middle spacing (#​1906)
• Get a tall \middle\vert from MathML (#​1911)
• Improve more coloneq (#​1902)
• Make \smallint small in \displaystyle (#​1907)
• Improve MathML for characters in Unicode private use area (#​1908)
• Improve MathML for extensible arrows (#​1901)
• Improve MathML for \rule (#​1912)
• Improve MathML for fractions (#​1882)
• Improve MathML for \tag (#​1915)
• Improve MathML for \colorbox and \fcolorbox (#​1914)
• Improve MathML for environments (#​1910)
• Improve MathML for \genfrac barline (#​1925)
• Support \textup and \textmd (#​1921)
• Improve MathML for \not ([#​1923](https://redirect.github.com/KaTeX/KaTeX/

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[serhalp]

peer dep

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (^0.13.3 || ^0.16.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.