⬆️ Updates Markdown to v3.8.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
Markdown (changelog)	==3.3.6 → ==3.8.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-69534

Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.

---

Release Notes

Python-Markdown/markdown (Markdown)

v3.8.1

Compare Source

Fixed

• Ensure incomplete markup declaration in raw HTML doesn't crash parser (#​1534).
• Fixed dropped content in md_in_html (#​1526).
• Fixed HTML handling corner case that prevented some content from not being rendered (#​1528).

v3.8

Compare Source

Changed

• DRY fix in abbr extension by introducing method create_element (#​1483).
• Clean up test directory by removing some redundant tests and port
  non-redundant cases to the newer test framework.
• Improved performance of the raw HTML post-processor (#​1510).

Fixed

• Backslash Unescape IDs set via attr_list on toc (#​1493).
• Ensure md_in_html processes content inside "markdown" blocks as they are
  parsed outside of "markdown" blocks to keep things more consistent for
  third-party extensions (#​1503).
• md_in_html handle tags within inline code blocks better (#​1075).
• md_in_html fix handling of one-liner block HTML handling (#​1074).
• Ensure <center> is treated like a block-level element (#​1481).
• Ensure that abbr extension respects AtomicString and does not process
  perceived abbreviations in these strings (#​1512).
• Ensure smarty extension correctly renders nested closing quotes (#​1514).

v3.7

Compare Source

Changed

Refactor abbr Extension

A new AbbrTreeprocessor has been introduced, which replaces the now deprecated
AbbrInlineProcessor. Abbreviation processing now happens after Attribute Lists,
avoiding a conflict between the two extensions (#​1460).

The AbbrPreprocessor class has been renamed to AbbrBlockprocessor, which
better reflects what it is. AbbrPreprocessor has been deprecated.

A call to Markdown.reset() now clears all previously defined abbreviations.

Abbreviations are now sorted by length before executing AbbrTreeprocessor
to ensure that multi-word abbreviations are implemented even if an abbreviation
exists for one of those component words. (#​1465)

Abbreviations without a definition are now ignored. This avoids applying
abbr tags to text without a title value.

Added an optional glossary configuration option to the abbreviations extension.
This provides a simple and efficient way to apply a dictionary of abbreviations
to every page.

Abbreviations can now be disabled by setting their definition to "" or ''.
This can be useful when using the glossary option.

Fixed

• Fixed links to source code on GitHub from the documentation (#​1453).

v3.6

Compare Source

Changed

Refactor TOC Sanitation

• All postprocessors are now run on heading content.
• Footnote references are now stripped from heading content. Fixes #​660.
• A more robust striptags is provided to convert headings to plain text.
  Unlike, the markupsafe implementation, HTML entities are not unescaped.
• The plain text name, rich html, and unescaped raw data-toc-label are
  saved to toc_tokens, allowing users to access the full rich text content of
  the headings directly from toc_tokens.
• The value of data-toc-label is sanitized separate from heading content
  before being written to name. This fixes a bug which allowed markup through
  in certain circumstances. To access the raw unsanitized data, retrieve the
  value from token['data-toc-label'] directly.
• An html.unescape call is made just prior to calling slugify so that
  slugify only operates on Unicode characters. Note that html.unescape is
  not run on name, html, or data-toc-label.
• The functions get_name and stashedHTML2text defined in the toc extension
  are both deprecated. Instead, third party extensions should use some
  combination of the new functions run_postprocessors, render_inner_html and
  striptags.

Fixed

• Include scripts/*.py in the generated source tarballs (#​1430).
• Ensure lines after heading in loose list are properly detabbed (#​1443).
• Give smarty tree processor higher priority than toc (#​1440).
• Permit carets (^) and square brackets (]) but explicitly exclude
  backslashes (\) from abbreviations (#​1444).
• In attribute lists (attr_list, fenced_code), quoted attribute values are
  now allowed to contain curly braces (}) (#​1414).

v3.5.2

Compare Source

Fixed

• Fix type annotations for convertFile - it accepts only bytes-based buffers.
  Also remove legacy checks from Python 2 (#​1400)
• Remove legacy import needed only in Python 2 (#​1403)
• Fix typo that left the attribute AdmonitionProcessor.content_indent unset
  (#​1404)
• Fix edge-case crash in InlineProcessor with AtomicString (#​1406).
• Fix edge-case crash in codehilite with an empty code tag (#​1405).
• Improve and expand type annotations in the code base (#​1401).
• Fix handling of bogus comments (#​1425).

v3.5.1

Compare Source

Fixed

• Fix a performance problem with HTML extraction where large HTML input could
  trigger quadratic line counting behavior (#​1392).
• Improve and expand type annotations in the code base (#​1394).

v3.5

Compare Source

v3.4.4

Compare Source

v3.4.3

Compare Source

v3.4.2

Compare Source

v3.4.1

Compare Source

v3.4

Compare Source

v3.3.7

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Moscow, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

---

• Branch has one or more failed status checks

[github-actions]

@check-spelling-bot Report

Unrecognized words, please review:

• adr
• akka
• alexrogalskiy
• allcontributors
• api
• arcver
• assing
• badgen
• BETTERCODE
• betterjavacode
• blogspot
• boopickle
• bootcamp
• brightgreen
• bugfixes
• buymeacoffee
• ceb
• codeready
• codesandbox
• codetriage
• committers
• configmaps
• debezium
• demystified
• dependabot
• devcases
• devfile
• dirtyreload
• DOI
• dreamix
• dropdown
• eab
• eap
• eisele
• embeddableinstantiator
• embeddables
• facebook
• fastai
• fastpages
• fastparse
• firsttimersonly
• flushmode
• forthebadge
• frapsoft
• freemarker
• FRP
• fthomas
• gerrit
• getquill
• GIFs
• gitbook
• gitflow
• githubbox
• gitpod
• GPLv
• Gradle
• grunwald
• guideslines
• gunnar
• Hashids
• Hasids
• helloworld
• hitsofcode
• hmil
• infoworld
• insidejava
• Instantiator
• IPhone
• istio
• janssen
• japgolly
• javacodegeeks
• javafx
• javamelody
• javaone
• JAVAPROG
• jboss
• jcliff
• jdbc
• jdk
• jextract
• jfr
• jfrunit
• johan
• jpa
• JRE
• jsonignore
• jsp
• jsparty
• julienrf
• Jupyter
• kubernetes
• latestdoi
• LETSTALK
• letstalkaboutjava
• LGPL
• LGPLv
• lihaoyi
• liskov
• logfile
• mades
• makeapullrequest
• markdownguide
• markus
• matryoshka
• mcve
• mega
• microservices
• milessabin
• mirrorring
• mkdocs
• modelviewculture
• monix
• mtl
• mutationquery
• namespaces
• nestjs
• Netflix
• newreleases
• nullables
• nvie
• objectmappers
• odl
• openapi
• opengraph
• opentelemetry
• osslifecycle
• oyanglul
• pagespeedresultmobile
• pasteable
• patreon
• paypal
• PITMP
• plumbr
• podcast
• precog
• pufler
• pypa
• quarkus
• quicklens
• RANDOMTHOUGHTS
• randomthoughtsonjavaprogramming
• rce
• reactify
• readthedocs
• reddit
• renovatebot
• reporoster
• repostatus
• resteasy
• rfm
• Rogalskiy
• rogalsky
• rubyonrails
• runtimes
• scalacss
• scalafiddle
• scalafmt
• scalajs
• scalameta
• scalanlp
• scalastyle
• scalaz
• scm
• seeyoufarm
• selectionquery
• softwaremill
• sourcegraph
• spamming
• splunk
• sql
• squants
• squbs
• sscce
• stakeholders
• starchart
• sttp
• stylegu
• suggestig
• suzaku
• thejavaprogrammer
• thorben
• tilda
• tokei
• trufoj
• tsb
• tsbleo
• tscojc
• tscqlg
• tsd
• tsdllr
• typelevel
• udash
• upickle
• urt
• ussue
• violoate
• vos
• wget
• wildfly
• wix
• workspaces
• zenodo
• zgc
• zio

Previously acknowledged words that are now absent

acl activesupport adaoraul addons aeiou AFile afterall Alexey alfredxing algolia allowfullscreen Anatoliy andreyvit Ankit Anning apps appveyor arengu args ariejan arounds asciinema asdf ashmaroli attr Autobuild autocompletion autogenerated Autolink autoload autoreconf autosave awood awscli backport backtick barcamp baseurl bashrc baz bbatsov bdimcheff bellvat benbalter Beney binstubs bip bitbucket Blogger blogging bonafide Bou breadcrumbs briandoll bridgetown bridgetownrb brightbox brighterplanet buddyworks Bugfix Burela byparker cachegrind calavera callgraphs cartera cavalle CDNs cgi changefreq chango charset Chayoung chcp chdir Cheatsheet Checkoway chmod chown Chrononaut chruby cibuild cimg circleci CJK classname cloudcannon Cloudinary cloudsh CLT CODEOWNERS coderay codeslinger coffeescript colorator commandline commonmark compat compatibilize concat configyml contentblocks CORS Cov CRLFs cron crontab cruft css csv Currin CVE CWD cygwin daringfireball Dassonville datafiles datetime DCEU Debian debuggability defunkt delegators deployer deps dest Devkit devops digitalocean dirs disqus ditaa dnf doclist doctype doeorg dommmel dotfile Dousse downcase downcased duckduckgo duritong Dusseau dysinger ecf editorconfig eduardoboucas Elasticsearch elsif Emacs emails endcapture endcomment endfor endhighlight endif endraw endrender endtablerow Enumerables EOL erb errordocument Espinaco eugenebolshakov evaled exe execjs extensionpack extname exts favicon Fengyun ffi figcaption filesystem Finazzo firstimage FIXME flakey flickr fnmatch fontello forloop formcake formcarry formester formingo formkeep formspark formspree formx Forwardable frameborder freenode frontend frontmatter fsnotify ftp fullstory Gaudino gcc gcnovus gemfile gemset gemspec getform getset getsimpleform gettalong gfm ghp ghpages giraffeacademy githubcom gitignore gitlab gjtorikian globbed globbing google gotcha Goulven gridism GSo gsub gsubbing Hakiri hardcode hashbang hashmap helaili henrik heredoc heroku highlighter hilighting Hoizey hostman hostname htaccess htm htmlproofer httpd httpdocs hyperlinks Iaa ial ico icomoon iconset ified iframe Impl Inlining invokables irc ivey ize jalali jameshamann jamstackthemes jan Jax jayferd jcon jdoe jeffreytse jeffrydegrande Jekpack jekyllbot jekyllconf Jekyllers Jekyllin Jekylling jekyllized jekylllayoutconcept jekyllrb jekyllthemes jemoji jmcglone jneen johnreilly jpg jqr jruby jsonify juretta jwarby Kacper Kasberg kbd Kentico Kewin keycdn kickster Kinnula kiwifruit Kolesky konklone kontent Kotvinsky kramdown Kulig Kwokfu Lamprecht laquo lastmod launchctl launchy laurilehmijoki ldquo learnxinyminutes lexer LGTM libcurl libffi lightgray limjh linenos linkify linux liufengyun livereload localheinz localtime Locher loglevel Losslessly lovin lsi lsquo lstrip lyche macos macromates mademistakes Manmeet markdownify Maroli Marsceill maruku mathjax mathml mattr Maximiliano mchung mdash memberspace Memoize memoized memoizing mentoring mergable Mertcan mertkahyaoglu microdata mimetype mingw minibundle minifier minitest Mittal mixin mkasberg mkd mkdir mkdn mkdown mmistakes modernizr mojombo moncefbelyamani moz mreid msdn mswin MSYS mtime multiline munging Mvvm myblog mycontent mydata mydoc myimage mypage myposts myproject myrepo mysite myvalue myvar myvariable Nadjib nakanishi namespace namespaced navbar nbsp nearlyfreespeech nethack netlify netlifycms Neue nginx ngx nielsenramon nior noifniof nokogiri notextile onclick onebox oneclick onschedule openssl Optim orderofinterpretation orgs OSVDB osx packagecontrol pacman paginator pandoc pantulis params parkr parseable paspagon passthrough pathawks Pathutil paywall pdf Pelykh permalink PHP pinboard Piwigo pjhyett pkill pkpass placeholders planetjekyll plantuml plugin podcasts popen Porcel Posterous postfiles postlayout postmodern prefetching preinstalled prepends Prioritise Probot projectlist pubstorm pufuwozu pwa pwd pygments qrush Quaid rackup Rakefile razorops rbenv rdiscount rdoc rdquo realz rebund redcarpet redcloth redgreen refactor Refheap regen regex regexp remi reqs Responsify revertable rfc rfelix RHEL ridk roadmap rowspan rspec rsquo rstrip rsync rtomayko Rubo rubocop rubychan rubygem rubyinstaller rubyprof Ruparelia Rusiczki rvm ryanflorence saas samplelist samrayner sandboxed Sassc sassify schemastore Schroers Schwartzian scp scrollbar scroller scss scssify sdk SDKROOT sectore seo serverless setenv SFTP shingo shopify shortlog shoulda sieversii sigpipe simplecov Singhaniya siteleaf sitemap SITENAME Slicehost slugified slugify smartforms smartify snipcart somedir sonnym Sonomy sourced sourcemaps spam spotify ssg ssh SSL staticfiles staticman statictastic STDERR stdout Stickyposts strftime stringified Stringify stylesheet subdir subdomain subfolder subfolderitems subnav subpages subpath subpiece subsubfolderitems subthing subvalues subwidget sudo superdirectories superdirs SUSE sverrirs svn swfobject swupd symlink symlinking tablerow tada Taillandier talkyard tbody technicalpickles templating templatize Termux textilize textpattern thead therubyracer Theunissen Thornquest thoughtbot throughs Tidelift timeago timezone titleize TLS tmm tmp toc tok tomjoht toml tomo toolset toshimaru triaged triaging truncatewords tsv ttf Tudou Tumblr Tweetsert txtpen Tyborska tzinfo ubuntu uby ujh ultron undumpable unencode Unescape unescaping unicode uniq upcase uppercasing uri urlset username usr utf utils utime vanpelt Vasovi vendored vercel versioned vertycal Veyor vilcans Vishesh visualstudio vnd vohedge vps vscode vwochnik Walkthroughs wdm We'd webfont webhook webhosting webmentions webrick weekdate whitelist whitelisting wikipedia wildcards willcodeforfoo woff wordpress Workaround wsl xcode xcrun xdg Xhmikos xhtml Xiaoiver XMinutes xmlns xmlschema yajl Yarp Yashu Yastreb Youku youtube yunbox zeropadding Zlatan zlib zoneinfo zpinter Zsh zshrc zypper zzot

To accept these unrecognized words as correct (and remove the previously acknowledged and now absent words), run the following commands

... in a clone of the git@github.com:AlexRogalskiy/java-patterns.git repository
on the renovate/pypi-markdown-vulnerability branch:

update_files() {
perl -e '
my @expect_files=qw('".github/actions/spelling/expect.txt"');
@ARGV=@expect_files;
my @stale=qw('"$patch_remove"');
my $re=join "|", @stale;
my $suffix=".".time();
my $previous="";
sub maybe_unlink { unlink($_[0]) if $_[0]; }
while (<>) {
if ($ARGV ne $old_argv) { maybe_unlink($previous); $previous="$ARGV$suffix"; rename($ARGV, $previous); open(ARGV_OUT, ">$ARGV"); select(ARGV_OUT); $old_argv = $ARGV; }
next if /^(?:$re)(?:(?:\r|\n)*$| .*)/; print;
}; maybe_unlink($previous);'
perl -e '
my $new_expect_file=".github/actions/spelling/expect.txt";
use File::Path qw(make_path);
use File::Basename qw(dirname);
make_path (dirname($new_expect_file));
open FILE, q{<}, $new_expect_file; chomp(my @words = <FILE>); close FILE;
my @add=qw('"$patch_add"');
my %items; @items{@words} = @words x (1); @items{@add} = @add x (1);
@words = sort {lc($a)."-".$a cmp lc($b)."-".$b} keys %items;
open FILE, q{>}, $new_expect_file; for my $word (@words) { print FILE "$word\n" if $word =~ /\w/; };
close FILE;
system("git", "add", $new_expect_file);
'
}

comment_json=$(mktemp)
curl -L -s -S \
  --header "Content-Type: application/json" \
  "https://api.github.com/repos/AlexRogalskiy/java-patterns/issues/comments/4138325964" > "$comment_json"
comment_body=$(mktemp)
jq -r .body < "$comment_json" > $comment_body
rm $comment_json

patch_remove=$(perl -ne 'next unless s{^</summary>(.*)</details>$}{$1}; print' < "$comment_body")
  

patch_add=$(perl -e '$/=undef;
$_=<>;
s{<details>.*}{}s;
s{^#.*}{};
s{\n##.*}{};
s{(?:^|\n)\s*\*}{}g;
s{\s+}{ }g;
print' < "$comment_body")
  
update_files
rm $comment_body
git add -u

If you see a bunch of garbage

If it relates to a ...

well-formed pattern

See if there's a pattern that would match it.

If not, try writing one and adding it to the patterns.txt file.

Patterns are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your lines.

Note that patterns can't match multiline strings.

binary-ish string

Please add a file path to the excludes.txt file instead of just accepting the garbage.

File paths are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your files.

^ refers to the file's path from the root of the repository, so ^README\.md$ would exclude README.md (on whichever branch you're using).