⬆️ Updates pymdown-extensions to v10 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
pymdown-extensions	==9.4 → ==10.16.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2023-32309

Summary

Arbitrary file read when using include file syntax.

Details

By using the syntax --8<--"/etc/passwd" or --8<--"/proc/self/environ" the content of these files will be rendered in the generated documentation. Additionally, a path relative to a specified, allowed base path can also be used to render the content of a file outside the specified base paths: --8<-- "../../../../etc/passwd".

Within the Snippets extension, there exists a base_path option but the implementation is vulnerable to Directory Traversal.
The vulnerable section exists in get_snippet_path(self, path) lines 155 to 174 in snippets.py.

base = "docs"
path = "/etc/passwd"
filename = os.path.join(base,path) # Filename is now /etc/passwd

PoC

import markdown

payload = "--8<-- \"/etc/passwd\""
html = markdown.markdown(payload, extensions=['pymdownx.snippets'])

print(html)

Impact

Any readable file on the host where the plugin is executing may have its content exposed. This can impact any use of Snippets that exposes the use of Snippets to external users.

It is never recommended to use Snippets to process user-facing, dynamic content. It is designed to process known content on the backend under the control of the host, but if someone were to accidentally enable it for user-facing content, undesired information could be exposed.

Suggestion

Specified snippets should be restricted to the configured, specified base paths as a safe default. Allowing relative or absolute paths that escape the specified base paths would need to be behind a feature switch that must be opt-in and would be at the developer's own risk.

CVE-2025-68142

Impact

This issue describes a ReDOS bug found within the figure caption extension (pymdownx.blocks.caption ).

In systems that take unchecked user content, this could cause long hangs when processing the data if a malicious payload was crafted.

Patches

This issue is patched in Release 10.16.1.

Workarounds

Some possible workarounds

If users are concerned about this vulnerability and process unknown user content without timeouts or other safeguards in place to prevent really large, malicious content being aimed at systems, the use of pymdownx.blocks.caption could be avoided until the library is updated to 10.16.1+.

References

The original issue https://github.com/facelessuser/pymdown-extensions/issues/2716.

Description

The original issue came through PyMdown Extensions' normal issue tracker instead of the typical security flow: https://github.com/facelessuser/pymdown-extensions/issues/2716. Because this came through the normal issue flow, it was handled as a normal issue. In the future, PyMdown Extensions will ensure such issues, even if prematurely made public through the normal issue flow, are redirected through the typical security process.

The regular expression pattern in question is as follows:

RE_FIG_NUM = re.compile(r'^(\^)?([1-9][0-9]*(?:.[1-9][0-9]*)*)(?= |$)')

The POC was provided by @​ShangzhiXu

import re
import time

regex_pattern = re.compile(r'^(\^)?([1-9][0-9]*(?:.[1-9][0-9]*)*)(?= |$)')

for i in range(50, 500, 50):
    long_string = '1' * i + 'a'
    start_time = time.time()
    match = re.match(regex_pattern, long_string)
    end_time = time.time()
    print(f"long_string execution time: {end_time - start_time:.6f} s")

The issue with the above pattern is that . was used, which accepts any character when we meant to use \.. The fix was to update the pattern to:

RE_FIG_NUM = re.compile(r'^(\^)?([1-9][0-9]*(?:\.[1-9][0-9]*)*)(?= |$)')

Relevant PR with fix: https://github.com/facelessuser/pymdown-extensions/pull/2717

Version(s) & System Info

• Operating System: Any
• Python Version: Any

---

Release Notes

facelessuser/pymdown-extensions (pymdown-extensions)

v10.16.1: 10.6.1

Compare Source

10.16.1

• FIX: Inefficient regular expression pattern for figure caption numbers.

v10.16

Compare Source

10.16

• NEW: Add early support for Python 3.14.
• NEW: Drop support for Python 3.8.
• NEW: Snippets: Added max_retries and backoff_retries options to configure new retry logic for HTTP 429
  errors (Too Many Requests client error).
• NEW: Caption: Prefix templates are now preserved exactly as specified allowing the insertion of HTML tags if
  desired.
• FIX: Caption: Fix issue where manual numbers in auto were not respected appropriately.

v10.15

Compare Source

10.15.0

• NEW: SuperFences: Add relaxed_headers option which can tolerate bad content in the fenced code header. When
  enabled, code blocks with bad content in the header will likely still convert into code blocks, often respecting
  the specified language.
• NEW: Add type hints to the Blocks interface and a few additional files.
• FIX: Blocks: Fix some corner cases of nested blocks with lists.
• FIX: Tab and Tabbed: Fix a case where tabs could fail if combine_header_slug was enabled and there was no
  header.

v10.14.3

Compare Source

10.14.3

• FIX: Blocks: An empty, raw block type should not cause an error.

v10.14.2

Compare Source

10.14.2

• FIX: Blocks: Fix some corner cases with md_in_html.

v10.14.1

Compare Source

10.14.1

• FIX: MagicLink: Ensure that repo names that start with . are handled correctly.
• FIX: FancyLists: Fix case were lists could be falsely created when a line started with . or ).

v10.14

Compare Source

10.14

• NEW: Blocks.HTML: Add new custom option to specify tags and the assumed handling for them when automatic mode
  is assumed. This can also be used to override the handling for recognized tags with automatic handling.
• FIX: Fix tests to pass with Pygments 2.19+.

v10.13

Compare Source

10.13

• NEW: Snippets: Allow multiple line numbers or line number blocks separated by ,.
• NEW: Snippets: Allow using a negative index for number start indexes and end indexes. Negative indexes are converted to positive indexes based on the number of lines in the snippet.
• FIX: Snippets: Properly capture empty newline at end of file.
• FIX: Snippets: Fix issue where when non sections of files are included, section labels are not stripped.
• FIX: BetterEm: Fixes for complex cases.
• FIX: Blocks: More consistent handling of empty newlines in block processor extensions.

v10.12

Compare Source

10.12

• NEW: Blocks: Blocks extensions no longer considered in beta.
• NEW: Details: Details is marked as "legacy" in documentation in favor of the new pymdownx.blocks.details approach.
• NEW: Tabbed: Tabbed is marked as "legacy" in documentation in favor of the new pymdownx.blocks.tab approach.
• NEW: Caption: Add new "blocks" style extension called Caption which helps with specifying figures with captions.
• NEW: Emoji: Add a new strict option that will raise an exception if an emoji is used whose name has changed,
  removed, or never existed.
• FIX: Emoji: Emoji links should be generated such that they point to the new CDN version.

v10.11.2

Compare Source

10.11.2

• FIX: SuperFences: Fix a regression where certain patterns could cause a hang.

v10.11.1

Compare Source

10.11.1

• Fix: SuperFences: Fix regression where an omitted language in conjunction with options in the fenced header
  can cause a fence to not be parsed.

v10.11

Compare Source

10.11

• NEW: SuperFences: Allow fenced code to be parsed in the form ```lang {.class #id}.

v10.10.2

Compare Source

10.10.2

• FIX: BetterEm: Add better support for *em, **em,strong*** and _em, __em,strong___ cases.
• FIX: Caret: Add better support for *sup, **sup,ins***.
• FIX: Tilde: Add better support for *sub, **sub,del***.

v10.10.1

Compare Source

10.10.1

• FIX: FancyLists: Remove a mistaken semicolon from injected classes.

v10.10

Compare Source

10.10

• NEW: FancyLists: Add new FancyLists extension.
• NEW: MagicLink: Change social links to support x instead of twitter. twitter is still recognized but is
  now deprecated and will be removed at a future time.
• NEW: Emoji: Update Twemoji data to the latest.
• FIX: PathConverter: Fixes for latest changes in Python regarding urlunparse.

v10.9

Compare Source

10.9

• NEW: Officially support Python 3.13.
• FIX: Snippets: Better handling of cases where URL snippet requests contain no header length.

v10.8.1

Compare Source

10.8.1

• FIX: Snippets: Fix snippet line range with a start of line 1.

v10.8

Compare Source

10.8

• NEW: Require Python Markdown 3.6+.
• FIX: Fix some test cases.
• FIX: Fix warnings due to recent changes in Python Markdown.

v10.7.1

Compare Source

10.7.1

• FIX: SmartSymbols: Ensure symbols are properly translated in table of content tokens.

v10.7

Compare Source

10.7

• NEW: Emoji: Update Twemoji and Gemoji data to latest.
• NEW: Emoji: Due to recent Gemoji update, non-standard emoji are no longer indexed. So emoji such as :octocat:
  are no longer resolved.
• NEW: Highlight: Added new option default_lang which will cause code blocks with no language specifier to be
  highlighted with the specified default language instead of plain text. This affects indented code blocks and code
  blocks defined with SuperFences.
• NEW: InlineHilite: style_plain_text can be specified with a language string (in addition to its previous
  boolean requirement) to treat inline code blocks with no explicit language specifier with a specific default
  language.

v10.6

Compare Source

10.6

• NEW: MagicLink: Allow configuring custom repository providers based off the existing providers.

v10.5

Compare Source

10.5

• NEW: Blocks: Admonitions and Details now allow configuring custom block classes and default titles.
• FIX: Keys: Ensure that Keys does not parse base64 encoded URLs.

v10.4

Compare Source

10.4

• NEW: Snippets: Allow PathLike objects for base_path to better support interactions with MkDocs.
• FIX: Block Admonitions: Empty titles should be respected.
• FIX: Block Details: Empty summary should be respected.

v10.3.1

Compare Source

10.3.1

• FIX: SuperFences: Fix an issue where braces were not handled properly in attributes.

v10.3

Compare Source

10.3

• NEW: Officially support Python 3.12.
• NEW: Drop Python 3.7 support.

v10.2.1

Compare Source

10.2.1

• FIX: Tabbed: Fix regression.

v10.2

Compare Source

10.2

• NEW: Highlight: Add new stripnl option to configure Pygments' default handling of stripping leading and
  and trailing new lines from code blocks. Mainly affects fenced code blocks.
• FIX: SuperFences: Fix issue where when SuperFences attempts to test if a placeholder is its own, it can throw
  an exception.

v10.1

Compare Source

v10.0.1

Compare Source

10.0.1

• FIX: Regression related to snippets nested deeply under specified base path.

v10.0

Compare Source

10.0

• Break: Snippets: snippets will restrict snippets to ensure they are under the base_path preventing snippets
  relative to the base_path but not explicitly under it. restrict_base_path can be set to False for legacy
  behavior.

v9.11

Compare Source

9.11

• NEW: Emoji: Update to new CDN and use Twemoji 14.1.2.
• NEW: Snippets: Ignore nested snippet section syntax when including a section.

v9.10

Compare Source

9.10

• NEW: Blocks: Add new experimental general purpose blocks that provide a framework for creating fenced block
  containers for specialized parsing. A number of extensions utilizing general purpose blocks are included and are meant
  to be an alternative to (and maybe one day replace): Admonitions, Details, Definition Lists, and Tabbed. Also adds a
  new HTML plugin for quick wrapping of content with arbitrary HTML elements.
• NEW: Highlight: When enabling line spans and/or line anchors, if a code block has an ID associated with it, line
  ids will be generated using that code ID instead of the code block count.
• NEW: Snippets: Expand section syntax to allow section names with - and _.
• NEW: Snippets: When check_paths is enabled, and a specified section is not found, raise an error.
• NEW: Snippets: Add new experimental feature dedent_sections that will de-indent (remove any common leading
  whitespace from every line in text) from that block of text.
• NEW: MagicLink: Update GitLab links to match recent changes and to be more correct.
• NEW: MagicLink: Relax required hash length when performing link shortening.

v9.9.2

Compare Source

9.9.2

• FIX: Snippets syntax can break in XML comments as XML comments do not allow --. Relax Snippets syntax such that
  -8<- (single -) are allowed.

v9.9.1

Compare Source

9.9.1

• FIX: Use a different CDN for Twemoji icons as MaxCDN is no longer available.

v9.9

Compare Source

9.9

• ENHANCE: BetterEm: Further improvements to strong/emphasis handling:
  • Ensure that one or more consecutive * or _ surrounded by whitespace are not considered as a token.
• ENHANCE: Caret: Apply recent BetterEm improvements to Caret:
  • Fix case where ^^ nested between ^ would be handled in an unexpected way.
  • Ensure that one or more consecutive ^ surrounded by whitespace are not considered as a token.
• ENHANCE: Tilde: Apply recent BetterEm improvements to Tilde:
  • Fix case where ~~ nested between ~ would be handled in an unexpected way.
  • Ensure that one or more consecutive ~ surrounded by whitespace are not considered a token.
• ENHANCE: Mark: Apply recent BetterEm improvements to Mark:
  • Ensure that one or more consecutive = surrounded by whitespace are not considered a token.

v9.8

Compare Source

9.8

• NEW: Formally declare support for Python 3.11.
• FIX: BetterEm: Fix case where ** nested between * would be handled in an unexpected way.

v9.7

Compare Source

9.7

• NEW: Tabbed: Add new syntax to allow forcing a specific tab to be selected by default.
• NEW: Snippets: Add a new option to pass arbitrary HTTP headers.
• NEW: Snippets: Allow specifying sections in a snippet and including just the specified section.

v9.6

Compare Source

9.6

• NEW: Highlight: Allow greater granularity of specifying where language guessing takes place via guess_lang
  option (e.g. block vs inline).
• NEW: Tabbed: Add options for generating tab IDs from tab titles.
• NEW: Snippets: Add support for specifying specific lines for Snippets.
• NEW: Snippets: Commenting out files in block format no longer requires a space directly after ;.
• NEW: Snippets: A new sane way to escape snippets is now available.

v9.5

Compare Source

9.5

• NEW: InlineHilite: Custom inline code block formatters can now be forced to raise an exception by raising a
  InlineHiliteException.
• NEW: Snippets: Add new options to handle importing snippets from URL.
• NEW: Snippets: Snippets will only swallow missing file errors (unless check_paths is enabled), all other errors
  will be propagated up.
• NEW: Snippets: When a file or URL is missing, raise SnippetMissingError instead of IOError.
• FIX: Snippets: Small issues related to recursive inclusion of snippets.

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Moscow, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

@check-spelling-bot Report

Unrecognized words, please review:

• adr
• akka
• alexrogalskiy
• allcontributors
• api
• arcver
• assing
• badgen
• BETTERCODE
• betterjavacode
• blogspot
• boopickle
• bootcamp
• brightgreen
• bugfixes
• buymeacoffee
• ceb
• codeready
• codesandbox
• codetriage
• committers
• configmaps
• debezium
• demystified
• dependabot
• devcases
• devfile
• dirtyreload
• DOI
• dreamix
• dropdown
• eab
• eap
• eisele
• embeddableinstantiator
• embeddables
• facebook
• fastai
• fastpages
• fastparse
• firsttimersonly
• flushmode
• forthebadge
• frapsoft
• freemarker
• FRP
• fthomas
• gerrit
• getquill
• GIFs
• gitbook
• gitflow
• githubbox
• gitpod
• GPLv
• Gradle
• grunwald
• guideslines
• gunnar
• Hashids
• Hasids
• helloworld
• hitsofcode
• hmil
• infoworld
• insidejava
• Instantiator
• IPhone
• istio
• janssen
• japgolly
• javacodegeeks
• javafx
• javamelody
• javaone
• JAVAPROG
• jboss
• jcliff
• jdbc
• jdk
• jextract
• jfr
• jfrunit
• johan
• jpa
• JRE
• jsonignore
• jsp
• jsparty
• julienrf
• Jupyter
• kubernetes
• latestdoi
• LETSTALK
• letstalkaboutjava
• LGPL
• LGPLv
• lihaoyi
• liskov
• logfile
• mades
• makeapullrequest
• markdownguide
• markus
• matryoshka
• mcve
• mega
• microservices
• milessabin
• mirrorring
• mkdocs
• modelviewculture
• monix
• mtl
• mutationquery
• namespaces
• nestjs
• Netflix
• newreleases
• nullables
• nvie
• objectmappers
• odl
• openapi
• opengraph
• opentelemetry
• osslifecycle
• oyanglul
• pagespeedresultmobile
• pasteable
• patreon
• paypal
• PITMP
• plumbr
• podcast
• precog
• pufler
• pypa
• quarkus
• quicklens
• RANDOMTHOUGHTS
• randomthoughtsonjavaprogramming
• rce
• reactify
• readthedocs
• reddit
• renovatebot
• reporoster
• repostatus
• resteasy
• rfm
• Rogalskiy
• rogalsky
• rubyonrails
• runtimes
• scalacss
• scalafiddle
• scalafmt
• scalajs
• scalameta
• scalanlp
• scalastyle
• scalaz
• scm
• seeyoufarm
• selectionquery
• softwaremill
• sourcegraph
• spamming
• splunk
• sql
• squants
• squbs
• sscce
• stakeholders
• starchart
• sttp
• stylegu
• suggestig
• suzaku
• thejavaprogrammer
• thorben
• tilda
• tokei
• trufoj
• tsb
• tsbleo
• tscojc
• tscqlg
• tsd
• tsdllr
• typelevel
• udash
• upickle
• urt
• ussue
• violoate
• vos
• wget
• wildfly
• wix
• workspaces
• zenodo
• zgc
• zio

Previously acknowledged words that are now absent

acl activesupport adaoraul addons aeiou AFile afterall Alexey alfredxing algolia allowfullscreen Anatoliy andreyvit Ankit Anning apps appveyor arengu args ariejan arounds asciinema asdf ashmaroli attr Autobuild autocompletion autogenerated Autolink autoload autoreconf autosave awood awscli backport backtick barcamp baseurl bashrc baz bbatsov bdimcheff bellvat benbalter Beney binstubs bip bitbucket Blogger blogging bonafide Bou breadcrumbs briandoll bridgetown bridgetownrb brightbox brighterplanet buddyworks Bugfix Burela byparker cachegrind calavera callgraphs cartera cavalle CDNs cgi changefreq chango charset Chayoung chcp chdir Cheatsheet Checkoway chmod chown Chrononaut chruby cibuild cimg circleci CJK classname cloudcannon Cloudinary cloudsh CLT CODEOWNERS coderay codeslinger coffeescript colorator commandline commonmark compat compatibilize concat configyml contentblocks CORS Cov CRLFs cron crontab cruft css csv Currin CVE CWD cygwin daringfireball Dassonville datafiles datetime DCEU Debian debuggability defunkt delegators deployer deps dest Devkit devops digitalocean dirs disqus ditaa dnf doclist doctype doeorg dommmel dotfile Dousse downcase downcased duckduckgo duritong Dusseau dysinger ecf editorconfig eduardoboucas Elasticsearch elsif Emacs emails endcapture endcomment endfor endhighlight endif endraw endrender endtablerow Enumerables EOL erb errordocument Espinaco eugenebolshakov evaled exe execjs extensionpack extname exts favicon Fengyun ffi figcaption filesystem Finazzo firstimage FIXME flakey flickr fnmatch fontello forloop formcake formcarry formester formingo formkeep formspark formspree formx Forwardable frameborder freenode frontend frontmatter fsnotify ftp fullstory Gaudino gcc gcnovus gemfile gemset gemspec getform getset getsimpleform gettalong gfm ghp ghpages giraffeacademy githubcom gitignore gitlab gjtorikian globbed globbing google gotcha Goulven gridism GSo gsub gsubbing Hakiri hardcode hashbang hashmap helaili henrik heredoc heroku highlighter hilighting Hoizey hostman hostname htaccess htm htmlproofer httpd httpdocs hyperlinks Iaa ial ico icomoon iconset ified iframe Impl Inlining invokables irc ivey ize jalali jameshamann jamstackthemes jan Jax jayferd jcon jdoe jeffreytse jeffrydegrande Jekpack jekyllbot jekyllconf Jekyllers Jekyllin Jekylling jekyllized jekylllayoutconcept jekyllrb jekyllthemes jemoji jmcglone jneen johnreilly jpg jqr jruby jsonify juretta jwarby Kacper Kasberg kbd Kentico Kewin keycdn kickster Kinnula kiwifruit Kolesky konklone kontent Kotvinsky kramdown Kulig Kwokfu Lamprecht laquo lastmod launchctl launchy laurilehmijoki ldquo learnxinyminutes lexer LGTM libcurl libffi lightgray limjh linenos linkify linux liufengyun livereload localheinz localtime Locher loglevel Losslessly lovin lsi lsquo lstrip lyche macos macromates mademistakes Manmeet markdownify Maroli Marsceill maruku mathjax mathml mattr Maximiliano mchung mdash memberspace Memoize memoized memoizing mentoring mergable Mertcan mertkahyaoglu microdata mimetype mingw minibundle minifier minitest Mittal mixin mkasberg mkd mkdir mkdn mkdown mmistakes modernizr mojombo moncefbelyamani moz mreid msdn mswin MSYS mtime multiline munging Mvvm myblog mycontent mydata mydoc myimage mypage myposts myproject myrepo mysite myvalue myvar myvariable Nadjib nakanishi namespace namespaced navbar nbsp nearlyfreespeech nethack netlify netlifycms Neue nginx ngx nielsenramon nior noifniof nokogiri notextile onclick onebox oneclick onschedule openssl Optim orderofinterpretation orgs OSVDB osx packagecontrol pacman paginator pandoc pantulis params parkr parseable paspagon passthrough pathawks Pathutil paywall pdf Pelykh permalink PHP pinboard Piwigo pjhyett pkill pkpass placeholders planetjekyll plantuml plugin podcasts popen Porcel Posterous postfiles postlayout postmodern prefetching preinstalled prepends Prioritise Probot projectlist pubstorm pufuwozu pwa pwd pygments qrush Quaid rackup Rakefile razorops rbenv rdiscount rdoc rdquo realz rebund redcarpet redcloth redgreen refactor Refheap regen regex regexp remi reqs Responsify revertable rfc rfelix RHEL ridk roadmap rowspan rspec rsquo rstrip rsync rtomayko Rubo rubocop rubychan rubygem rubyinstaller rubyprof Ruparelia Rusiczki rvm ryanflorence saas samplelist samrayner sandboxed Sassc sassify schemastore Schroers Schwartzian scp scrollbar scroller scss scssify sdk SDKROOT sectore seo serverless setenv SFTP shingo shopify shortlog shoulda sieversii sigpipe simplecov Singhaniya siteleaf sitemap SITENAME Slicehost slugified slugify smartforms smartify snipcart somedir sonnym Sonomy sourced sourcemaps spam spotify ssg ssh SSL staticfiles staticman statictastic STDERR stdout Stickyposts strftime stringified Stringify stylesheet subdir subdomain subfolder subfolderitems subnav subpages subpath subpiece subsubfolderitems subthing subvalues subwidget sudo superdirectories superdirs SUSE sverrirs svn swfobject swupd symlink symlinking tablerow tada Taillandier talkyard tbody technicalpickles templating templatize Termux textilize textpattern thead therubyracer Theunissen Thornquest thoughtbot throughs Tidelift timeago timezone titleize TLS tmm tmp toc tok tomjoht toml tomo toolset toshimaru triaged triaging truncatewords tsv ttf Tudou Tumblr Tweetsert txtpen Tyborska tzinfo ubuntu uby ujh ultron undumpable unencode Unescape unescaping unicode uniq upcase uppercasing uri urlset username usr utf utils utime vanpelt Vasovi vendored vercel versioned vertycal Veyor vilcans Vishesh visualstudio vnd vohedge vps vscode vwochnik Walkthroughs wdm We'd webfont webhook webhosting webmentions webrick weekdate whitelist whitelisting wikipedia wildcards willcodeforfoo woff wordpress Workaround wsl xcode xcrun xdg Xhmikos xhtml Xiaoiver XMinutes xmlns xmlschema yajl Yarp Yashu Yastreb Youku youtube yunbox zeropadding Zlatan zlib zoneinfo zpinter Zsh zshrc zypper zzot

To accept these unrecognized words as correct (and remove the previously acknowledged and now absent words), run the following commands

... in a clone of the git@github.com:AlexRogalskiy/java-patterns.git repository
on the renovate/pypi-pymdown-extensions-vulnerability branch:

update_files() {
perl -e '
my @expect_files=qw('".github/actions/spelling/expect.txt"');
@ARGV=@expect_files;
my @stale=qw('"$patch_remove"');
my $re=join "|", @stale;
my $suffix=".".time();
my $previous="";
sub maybe_unlink { unlink($_[0]) if $_[0]; }
while (<>) {
if ($ARGV ne $old_argv) { maybe_unlink($previous); $previous="$ARGV$suffix"; rename($ARGV, $previous); open(ARGV_OUT, ">$ARGV"); select(ARGV_OUT); $old_argv = $ARGV; }
next if /^(?:$re)(?:(?:\r|\n)*$| .*)/; print;
}; maybe_unlink($previous);'
perl -e '
my $new_expect_file=".github/actions/spelling/expect.txt";
use File::Path qw(make_path);
use File::Basename qw(dirname);
make_path (dirname($new_expect_file));
open FILE, q{<}, $new_expect_file; chomp(my @words = <FILE>); close FILE;
my @add=qw('"$patch_add"');
my %items; @items{@words} = @words x (1); @items{@add} = @add x (1);
@words = sort {lc($a)."-".$a cmp lc($b)."-".$b} keys %items;
open FILE, q{>}, $new_expect_file; for my $word (@words) { print FILE "$word\n" if $word =~ /\w/; };
close FILE;
system("git", "add", $new_expect_file);
'
}

comment_json=$(mktemp)
curl -L -s -S \
  --header "Content-Type: application/json" \
  "https://api.github.com/repos/AlexRogalskiy/java-patterns/issues/comments/4136805315" > "$comment_json"
comment_body=$(mktemp)
jq -r .body < "$comment_json" > $comment_body
rm $comment_json

patch_remove=$(perl -ne 'next unless s{^</summary>(.*)</details>$}{$1}; print' < "$comment_body")
  

patch_add=$(perl -e '$/=undef;
$_=<>;
s{<details>.*}{}s;
s{^#.*}{};
s{\n##.*}{};
s{(?:^|\n)\s*\*}{}g;
s{\s+}{ }g;
print' < "$comment_body")
  
update_files
rm $comment_body
git add -u

If you see a bunch of garbage

If it relates to a ...

well-formed pattern

See if there's a pattern that would match it.

If not, try writing one and adding it to the patterns.txt file.

Patterns are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your lines.

Note that patterns can't match multiline strings.

binary-ish string

Please add a file path to the excludes.txt file instead of just accepting the garbage.

File paths are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your files.

^ refers to the file's path from the root of the repository, so ^README\.md$ would exclude README.md (on whichever branch you're using).

[github-actions]

Scan Summary

Tool	Critical	High	Medium	Low	Status
Dependency Scan (universal)	2	12	14	0	❌
Security Audit for Infrastructure	14	92	8	32	❌
Kotlin Security Audit	0	0	0	0	✅
Kotlin Static Analysis	0	0	0	0	✅
Python Source Analyzer	0	0	0	0	✅
Secrets Audit	0	4	0	0	❌
Shell Script Analysis	0	0	0	195	✅

Recommendation

Please review the findings from Code scanning alerts before approving this pull request. You can also configure the build rules or add suppressions to customize this bot 👍