🚨 [security] Update markdown-it 14.1.1 → 14.2.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ markdown-it (14.1.1 → 14.2.0) · Repo · Changelog

Security Advisories 🚨

🚨 markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations

Summary

A quadratic time complexity vulnerability exists in markdown-it's smartquotes rule (enabled via the typographer: true option). An attacker can craft a markdown input consisting of consecutive quotation marks that causes the parser to consume excessive CPU time, leading to denial of service.

Details

The vulnerability is in the replaceAt() helper function used by the smartquotes rule in lib/rules_core/smartquotes.mjs:

function replaceAt (str, index, ch) {
  return str.slice(0, index) + ch + str.slice(index + 1)
}

When markdown-it processes a text token containing many quotation marks (either " or ') with typographer: true, the smartquotes rule iterates through each quote character and calls replaceAt() to substitute it with a typographic (curly) quote. Each call to replaceAt() creates three new string slices and concatenates them, which is an O(n) operation where n is the length of the string.

Since this is called once per quote character in the token, and there are n quote characters, the total time complexity becomes O(n^2).

The root cause is that the smartquotes rule modifies token.content in place using string slicing rather than building the result incrementally. The process_inlines() function (line 14) processes each quote in the text token, and for matching quote pairs, calls replaceAt() on both the opening and closing token's content (lines 151-152). When the entire input is a single text token of quote characters, this results in quadratic behavior.

PoC

const md = require('markdown-it');
const instance = md({ typographer: true });
// 160,000 consecutive double-quote characters

const payload = '"'.repeat(160000);
console.time('render');

instance.render(payload);

console.timeEnd('render');

// Output: render: ~21000ms (21 seconds)
// Compare with typographer disabled:

const safe = md({ typographer: false });

console.time('render-safe');

safe.render(payload);

console.timeEnd('render-safe');

// Output: render-safe: ~8ms

Measured timing on a modern system:

• 10,000 quotes: ~19ms
• 20,000 quotes: ~51ms
• 40,000 quotes: ~212ms
• 80,000 quotes: ~5,430ms
• 160,000 quotes: ~21,198ms

The scaling is clearly superlinear (quadratic), with the 80K->160K step showing a ~3.9x increase for a 2x input increase, consistent with O(n^2).

Impact

Applications that render user-supplied markdown with typographer: true are vulnerable to denial of service. An attacker can submit a relatively small payload (160KB of quote characters) that causes the server to spend over 21 seconds processing a single request. Repeated submissions can exhaust server CPU resources and prevent legitimate users from being served.

The impact is mitigated by the fact that the typographer option defaults to false and must be explicitly enabled. However, the typographer feature is commonly enabled in production applications that want smart typography, and the markdown-it documentation prominently suggests enabling it.

A suggested fix would be to replace the replaceAt() approach with an array-based or StringBuilder-style approach that collects all replacements and applies them in a single pass, reducing the time complexity to O(n).

Release Notes

14.2.0 (from changelog)

Added

• isPunctCharCode to utilities.

Fixed

• Don't end HTML comment blocks on a blank line, #1155.
• Properly recognize astral chars (surrogates) in delimiter scans for emphasis-like markers, #1072. Big thanks to @tats-u for his global efforts with improving CJK support.
• Preserve unicode whitespaces when trimm headings/paragraphs, #1074.
• More strict entities decode to avoid false positives ;, #1096.
• Restore block parser state on fail in lheading rule, #1131.

Security

• Fixed poor smartquotes perfomance on > 70k quotes in single block
• Bumped linkify-it to 5.0.1 with fixed potential perfomance issues.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 22 commits:

• 14.2.0 released
• Fix smartquotes perfomance
• linkify-it bump
• fix: don't end HTML comment blocks on a blank line (#1155)
• Readme cleanup
• Update funding info
• Changelog update
• isPunctChar => isPunctCharCode
• fix: always reset parentType in lheading rule (#1131)
• Polish PRs #1072, #1074
• Recognize supplementary (non-BMP) punctuations & symbols (#1072)
• Don't trim non-ASCII whitespaces (#1074)
• Use cross-env to run test (#1075)
• fix 'Plugins load' section of README (#1077)
• Do not process `&`-entities that don't end in `;` (#1096)
• Fix typo in MarkdownIt.set() documentation (#1120)
• Ignore unreachable lines in modern Node in c8 (#1073)
• Fix link to safety doc after renaming (#1150)
• Fix pathological tracker sig
• Update CI config
• Rename to avoid global security config override
• Use org's .github defaults

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[sonarqubecloud]

Quality Gate failed

Failed conditions
8 Security Hotspots
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE