Skip to content
This repository has been archived by the owner on Oct 23, 2024. It is now read-only.

chore(deps): update dependency pygments to v2.15.0 [security] #3360

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): update dependency pygments to v2.15.0 [security] #3360

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 6, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
Pygments (changelog) ==2.7.2 -> ==2.15.0 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2021-27291

In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.

CVE-2021-20270

An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

CVE-2022-40896

A ReDoS issue was discovered in pygments/lexers/smithy.py in Pygments until 2.15.0 via SmithyLexer.

Release Notes

pygments/pygments (Pygments)

v2.15.0

Compare Source

(released April 10th, 2023)

  • Added lexers:

  • Updated lexers:

    • AMDGPU: Add support for scratch_ instructions, the attr*.* argument,
      as well as the off modifier (#​2327).

    • APDL: Miscellaneous improvements (#​2314)

    • bash/tcsh:

    • Chapel: Support attributes (#​2376)

    • CMake: Implement bracket style comments (#​2338, #​2354)

    • CSS: Improve lexing of numbers inside function calls (#​2382, #​2383)

    • diff: Support normal diff syntax, as opposed to unified diff syntax (#​2321)

    • GLSL, HLSL:

      • Support line continuations in preprocessor code (#​2350)
      • Improve preprocessor directive handling (#​2357)

    • LilyPond: minor update of builtins

    • PHP: support attributes (#​2055, #​2347, #​2360), fix anonymous classes without
      parameters (#​2359), improve lexing of variable variable syntax (#​2358)

    • Python:

    • Rebol/Red: Don't require script headers (#​2348, #​2349)

    • Spice: Update keywords (#​2336)

    • SQL+Jinja (analyse_text method): Fix catastrophic backtracking (#​2355)

    • Terraform: Add hcl alias (#​2375)

  • Declare support for Python 3.11 and drop support for Python 3.6 (#​2324).

  • Update native style to improve contrast (#​2325).

  • Update `github-dark`` style to match latest Primer style (#​2401)

  • Revert a change that made guessing lexers based on file names slower
    on Python 3.10 and older (#​2328).

  • Fix some places where a locale-dependent encoding could unintentionally
    be used instead of UTF-8 (#​2326).

  • Fix Python traceback handling (#​2226, #​2329).

  • Groff formatter: sort color definitions for reproducibility (#​2343)

  • Move project metadata to pyproject.toml, remove setup.py
    and setup.cfg (#​2342)

  • The top-level Makefile has been removed. Instead, all shortcuts
    for developing are now defined and run through tox. The doc folder
    still contains a Makefile as an alternative to tox -e doc.

v2.14.0

Compare Source

(released January 1st, 2023)

  • Added lexers:

  • Updated lexers:

    • Abap: Update keywords (#​2281)

    • Alloy: Update for Alloy 6 (#​1963)

    • C family (C, C++ and many others):

      • Fix an issue where a chunk would be wrongly recognized as a function
        definition due to braces in comments (#​2210)
      • Improve parantheses handling for function definitions (#​2207, #​2208)

    • C#: Fix number and operator recognition (#​2256, #​2257)

    • CSound: Updated builtins (#​2268)

    • F#: Add .fsx file extension (#​2282)

    • gas (GNU assembler): recognize braces as punctuation (#​2230)

    • HTTP: Add CONNECT keyword (#​2242)

    • Inform 6: Fix lexing of properties and doubles (#​2214)

    • INI: Allow comments that are not their own line (#​2217, #​2161)

    • Java properties: Fix issue with whitespace-delimited keys, support
      comments starting with ! and escapes, no longer support undocumented
      ; and // comments (#​2241)

    • LilyPond: Improve heuristics, add \maxima duration (#​2283)

    • LLVM: Add opaque pointer type (#​2269)

    • Macaulay2: Update keywords (#​2305)

    • Minecraft-related lexers (SNB and Minecraft function) moved to
      pygments.lexers.minecraft (#​2276)

    • Nim: General improvements (#​1970)

    • Nix: Fix single quotes inside indented strings (#​2289)

    • Objective J: Fix catastrophic backtracking (#​2225)

    • NASM: Add support for SSE/AVX/AVX-512 registers as well as 'rel'
      and 'abs' address operators (#​2212)

    • Powershell:

    • Solidity: Add boolean operators (#​2292)

    • Spice: Add enum keyword and fix a bug regarding binary,
      hexadecimal and octal number tokens (#​2227)

    • YAML: Accept colons in key names (#​2277)

  • Fix make mapfiles when Pygments is not installed in editable mode
    (#​2223)

  • Support more filetypes and compression types in autopygmentize (#​2219)

  • Merge consecutive tokens in Autohotkey, Clay (#​2248)

  • Add .nasm as a recognized file type for NASM (#​2280)

  • Add *Spec.hs as a recognized file type for HSpec (#​2308)

  • Add *.pyi (for typing stub files) as a recognized file type for
    Python (#​2231)

  • The HTML lexer no longer emits empty spans for whitespace (#​2304)

  • Fix IRCFormatter inserting linenumbers incorrectly (#​2270)

v2.13.0

Compare Source

(released August 15th, 2022)

  • Added lexers:

  • Updated lexers:

    • Ada: support Ada 2022 (#​2121); disable recognition of namespaces
      because it disturbs lexing of aspects (#​2125)
    • Agda: allow straight quotes in module names (#​2163)
    • C family (C, C++ and many others): allow comments between
      elements of function headers, e.g. between the arguments and
      the opening brace for the body (#​1891)
    • C++: Resolve several cases of Error tokens (#​2207, #​2208)
    • Coq: Add some common keywords, improve recognition of Set
      and qualified identifiers (#​2158)
    • F*: Allow C-style comments anywhere in a line
    • Fortran: Fix catastrophic backtracking with backslashes in strings
      (#​2194)
    • Go: add support for generics (#​2167)
    • Inform: Update for version 6.40 (#​2190)
    • Isabelle: recognize cartouches (#​2089)
    • Java: support multiline strings aka. text blocks (#​2132)
    • Kotlin: Add value modifier (#​2142)
    • LilyPond: Add some missing builtins
    • Macaulay2: Update builtins (#​2139)
    • Matlab session: fix traceback when a line continuation ellipsis
      appears in the output (#​2166)
    • .NET: Add aliases for LibreOffice Basic, OpenOfficeBasic and
      StarOffice Basic (#​2170)
    • Nim: Use Name.Builtin instead of Keyword.Type (#​2136)
    • PHP: fix \"$var\" inside strings (#​2105)
    • Python: only recognize \N, \u and \U escape sequences
      in string literals, but not in bytes literals where they are
      not supported (#​2204)
    • Tcl: support ${name} variables (#​2145)
    • Terraform: Accept leading whitespace for << heredoc
      delimiters (#​2162)
    • Teraterm: Various improvements (#​2165)
    • Spice: add support for the recently added features including more
      builtin functions and bin, oct, hex number formats (#​2206)

  • Added styles:

  • Pygments now tries to use the importlib.metadata module to
    discover plugins instead of the slower pkg_resources (#​2155). In
    particular, this largely speeds up the pygmentize script when
    the lexer is not specified.

    importlib.metadata is only available in the Python standard
    library since Python 3.8. For older versions, there exists an
    importlib_metadata backport on PyPI. For this reason, Pygments
    now defines a packaging extra plugins, which adds a requirement
    on importlib_metadata if the Python version is older than
    3.8. Thus, in order to install Pygments with optimal plugin
    support even for old Python versions, you should do::

    pip install pygments[plugins]

    Pygments still falls back on pkg_resources if neither
    importlib.metadata nor importlib_metadata is found, but it
    will be slower.

  • Silently ignore BrokenPipeError in the command-line interface
    (#​2193).

  • The HtmlFormatter now uses the linespans attribute for
    anchorlinenos if the lineanchors attribute is unset (#​2026).

  • The highlight, lex and format functions no longer
    wrongly report "argument must be a lexer/formatter instance, not a
    class" in some cases where this is not the actual problem (#​2123).

  • Fix warnings in doc build (#​2124).

  • The codetagify filter now recognizes FIXME tags by default (#​2150).

  • The pygmentize command now recognizes if the COLORTERM
    environment variable is set to a value indicating that true-color
    support is available. In that case, it uses the TerminalTrueColorFormatter
    by default (#​2160)

  • Remove redundant caches for filename patterns (#​2153)

  • Use new non-deprecated Pillow API for text bounding box in ImageFormatter
    (#​2198)

  • Remove default_style (#​930, #​2183)

  • Stop treating DeprecationWarnings as errors in the unit tests (#​2196)

v2.12.0

Compare Source

(released April 24th, 2022)

  • Added lexers:

  • Updated lexers:

    • Agda: Update keyword list (#​2017)

    • C family: Fix identifiers after case statements (#​2084)

    • Clojure: Highlight ratios (#​2042)

    • Csound: Update to 6.17 (#​2064)

    • CSS: Update the list of properties (#​2113)

    • Elpi:

    • Futhark: Add missing tokens (#​2118)

    • Gherkin: Add But (#​2046)

    • Inform6: Update to 6.36 (#​2050)

    • Jinja2: add .xxx.j2 and .xxx.jinja2 to relevant lexers
      (for xxx = html, xml, etc.) (#​2103)

    • JSON: Support C comments in JSON (#​2049). Note: This doesn't mean the JSON parser now supports JSONC or JSON5 proper, just that it doesn't error out when seeing a /* */ or // style comment. If you need proper comment handling, consider using the JavaScript lexer.

    • LilyPond:

      • Fix incorrect lexing of names containing a built-in (#​2071)
      • Fix properties containing dashes (#​2099)

    • PHP: Update builtin function and keyword list (#​2054, #​2056)

    • Python: highlight EncodingWarning (#​2106)

    • Savi: fix highlighting for underscore/private identifiers,
      add string interpolation (#​2102); fix nested type name highlighting
      (#​2110)

    • Scheme: Various improvements (#​2060)

    • Spice: Update the keyword list, add new types (#​2063, #​2067)

    • Terraform:

  • Add plugins argument to get_all_lexers().

  • Bump minimal Python version to 3.6 (#​2059)

  • Fix multiple lexers marking whitespace as Text (#​2025)

  • Remove various redundant uses of re.UNICODE (#​2058)

  • Associate .resource with the Robot framework (#​2047)

  • Associate .cljc with Clojure (#​2043)

  • Associate .tpp with C++ (#​2031)

  • Remove traces of Python 2 from the documentation (#​2039)

  • The native style was updated to meet the WCAG AAA contrast guidelines (#​2038)

  • Fix various typos (#​2030)

  • Fix Groff formatter not inheriting token styles correctly (#​2024)

  • Various improvements to the CI (#​2036)

  • The Ada lexer has been moved to a separate file (#​2117)

  • When linenos=table is used, the <table> itself is now wrapped with a <div class="highlight"> tag instead of placing it inside the <td class="code"> cell (#​632.) With this change, the output matches the documented behavior.

.. note::

If you have subclassed HtmlFormatter.wrap, you may have to adjust the logic.

v2.11.2

Compare Source

(released January 6th, 2022)

  • Updated lexers:

  • Fix links to line numbers not working correctly (#​2014)

  • Remove underline from Whitespace style in the Tango theme (#​2020)

  • Fix IRC and Terminal256 formatters not backtracking correctly for custom token types, resulting in some unstyled tokens (#​1986)

v2.11.1

Compare Source

(released December 31st, 2021)

  • Updated lexers:

    • C-family: Handle return types with multiple tokens (e.g. unsigned int) (#​2008)
    • JSON: Fix a regression which caused whitespace before : to result in Error tokens (#​2010)
    • SPICE: Various improvements (#​2009)

v2.11.0

Compare Source

(released December 30th, 2021)

.. note::

All of the new styles unfortunately do not conform to WCAG recommendations.

  • There is new infrastructure in place to improve style accessibility. The default style has been updated to conform to WCAG recommendations. All styles are now checked for sufficient contrast by default to prevent regressions. (#​1919, #​1937, #​1938, #​1940)
  • Clean up unused imports (#​1887)
  • Fix multiple lexers producing repeated single-character tokens
  • Fix multiple lexers marking whitespace as Text (#​1237, #​1905, #​1908, #​1914, #​1911, #​1923, #​1939, #​1957, #​1978)
  • Remove duplicated assignments in the Paraiso style (#​1934)
  • pygmentize supports JSON output for the various list functions now, making it easier to consume them from scripts. (#​1437, #​1890)
  • Use the shell lexer for kshrc files (#​1947)
  • Use the ruby lexer for Vagrantfile files (#​1936)
  • Use the C lexer for .xbm and .xpm files (#​1802)
  • Add a groff formatter (#​1873)
  • Update documentation (#​1928)
  • Line anchors now link to themselves (#​1973)
  • Add official support for Python 3.10 (#​1917)
  • Fix several missing colors in dark styles: Gruvbox dark, Monokai, Rrt, Sas, Strata dark (#​1955)
  • Associate more file types with man pages
  • The HtmlFormatter can now emit tooltips for each token to ease debugging of lexers (#​1822)
  • Add f90 as an alias for fortran (#​2000)

v2.10.0

Compare Source

(released August 15th, 2021)

v2.9.0

Compare Source

(released May 3rd, 2021)

v2.8.1

Compare Source

v2.8.0

Compare Source

(released February 14, 2021)

  • Added lexers:

  • Updated lexers:

  • Added styles:

  • The pygmentize script now uses argparse, all options should work
    as before

  • Add pygmentize -C option to guess a lexer from content

  • With this release, Pygments moves to a new internal testing system (#​1649.)
    See Contributing.md for details. The main advantage of this new change
    is a much better test coverage of all existing example lexers. It also makes
    it much easier to add new test snippets.

  • Make guessing prefer Python 3 lexer

  • Do not guess MIME or SQL without reason

  • Changed setuptools to use a declarative config through setup.cfg.
    Building Pygments now requires setuptools 39.2+.

  • Add markdown to MarkdownLexer aliases (#​1687)

  • Change line number handling

    • In <table> based output, the td.linenos element will have either a
      normal or special class attached. Previously, only special line
      numbers got a class. This prevents styles from getting applied twice -
      once via <pre>, once via <span class="special">. This also means
      that td.linenos pre is no longer styled, instead, use
      td.linenos .normal and td.linenos .special.
    • In the "inline" style, the DOM element order was changed. The line number
      is added first, then the line is wrapped is wrapped by the highlighter.
      This fixes lines not being fully highlighted.
    • The visual output for inline and non-inline line numbers & highlighting,
      as well as class-based and inline styling is now consistent.
    • Line number styles are set to background-color: transparent and
      color: inherit by default. This works much better with dark styles
      which don't have colors set for line numbers.

  • Remove "raw" alias from RawTokenLexer, so that it cannot be
    selected by alias.

  • Fix RawTokenLexer to work in Python 3 and handle exceptions.

  • Add prompt colors to the Solarized theme (#​1529)

  • Image formatter supports background colors now (#​1374)

  • Add support for anchors in conjunction with inline line numbers (#​1591)

  • Modernize the codebase using pyupgrade (#​1622)

  • Add support for line numbers to the terminal256 formatter (#​1674, #​1653)

  • Improve analyze_text logic for ECL (#​1610)

  • Improve analyze_text logic for CBM Basic V2 (#​1607)

  • Improve LaTeX formatter (#​1708, #​1709)

v2.7.4

Compare Source

(released January 12, 2021)

  • Updated lexers:

  • Fix infinite loop in SML lexer (#​1625), CVE-2021-20270 <https://nvd.nist.gov/vuln/detail/CVE-2021-20270>_

  • Fix backtracking string regexes in JavaScript/TypeScript, Modula2
    and many other lexers (#​1637) CVE-2021-27291 <https://nvd.nist.gov/vuln/detail/CVE-2021-27291>_

  • Limit recursion with nesting Ruby heredocs (#​1638)

  • Fix a few inefficient regexes for guessing lexers

  • Fix the raw token lexer handling of Unicode (#​1616)

  • Revert a private API change in the HTML formatter (#​1655) --
    please note that private APIs remain subject to change!

  • Fix several exponential/cubic-complexity regexes found by
    Ben Caller/Doyensec (#​1675)

  • Fix incorrect MATLAB example (#​1582)

Thanks to Google's OSS-Fuzz project for finding many of these bugs.

v2.7.3

Compare Source

(released December 6, 2020)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants