Skip to content

[stable-8] Bump league/commonmark from 2.8.0 to 2.8.2#4581

Merged
dartcafe merged 2 commits into
stable-8from
dependabot/composer/stable-8/league/commonmark-2.8.2
Apr 9, 2026
Merged

[stable-8] Bump league/commonmark from 2.8.0 to 2.8.2#4581
dartcafe merged 2 commits into
stable-8from
dependabot/composer/stable-8/league/commonmark-2.8.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 8, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps league/commonmark from 2.8.0 to 2.8.2.

Release notes

Sourced from league/commonmark's releases.

2.8.2

This is a security release to address an issue where the allowed_domains setting for the Embed extension can be bypassed, resulting in a possible SSRF and XSS vulnerabilities.

Fixed

  • Fixed DomainFilteringAdapter hostname boundary bypass where domains like youtube.com.evil could match an allowlist entry for youtube.com (GHSA-hh8v-hgvp-g3f5)

Full Changelog: thephpleague/commonmark@2.8.1...2.8.2

2.8.1

What's Changed

This is a security release to address an issue where DisallowedRawHtml can be bypassed, resulting in a possible cross-site scripting (XSS) vulnerability.

Fixed

  • Fixed DisallowedRawHtmlRenderer not blocking raw HTML tags with trailing ASCII whitespace (GHSA-4v6x-c7xx-hw9f)
  • Fixed PHP 8.5 deprecation (#1107)

New Contributors

Full Changelog: thephpleague/commonmark@2.8.0...2.8.1

Changelog

Sourced from league/commonmark's changelog.

[2.8.2] - 2026-03-19

This is a security release to address an issue where the allowed_domains setting for the Embed extension can be bypassed, resulting in a possible SSRF and XSS vulnerabilities.

Fixed

  • Fixed DomainFilteringAdapter hostname boundary bypass where domains like youtube.com.evil could match an allowlist entry for youtube.com (GHSA-hh8v-hgvp-g3f5)

[2.8.1] - 2026-03-05

This is a security release to address an issue where DisallowedRawHtml can be bypassed, resulting in a possible cross-site scripting (XSS) vulnerability.

Fixed

  • Fixed DisallowedRawHtmlRenderer not blocking raw HTML tags with trailing ASCII whitespace (GHSA-4v6x-c7xx-hw9f)
  • Fixed PHP 8.5 deprecation (#1107)
Commits
  • 59fb075 Fix DomainFilteringAdapter hostname boundary bypass
  • 74b4487 Document dangers of enabling an unsafe php.ini setting
  • 84b1ca4 Almost forgot this entry
  • bcf54f5 Merge commit from fork
  • 7a68ed1 Prepare to release 2.8.1
  • 5c0c4c8 Fix DisallowedRawHtml bypass via newline/tab in tag names
  • f6e7443 Add regression test
  • 0719b67 Merge pull request #1107 from freost/fix-php85-deprecation-error
  • 63ff2e0 Fix PHP 8.5 deprecation
  • 8608e9c Merge pull request #1106 from Kocal/patch-1
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file php Pull requests that update Php code labels Apr 8, 2026
@dartcafe

dartcafe commented Apr 9, 2026

Copy link
Copy Markdown
Collaborator

@dependabot recreate

@dependabot
[stable-8] Bump league/commonmark from 2.8.0 to 2.8.2
e1b9425 
Bumps [league/commonmark](https://github.com/thephpleague/commonmark) from 2.8.0 to 2.8.2.
- [Release notes](https://github.com/thephpleague/commonmark/releases)
- [Changelog](https://github.com/thephpleague/commonmark/blob/2.8/CHANGELOG.md)
- [Commits](thephpleague/commonmark@2.8.0...2.8.2)

---
updated-dependencies:
- dependency-name: league/commonmark
  dependency-version: 2.8.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/composer/stable-8/league/commonmark-2.8.2 branch from a9d95a7 to e1b9425 Compare April 9, 2026 05:48
@dartcafe dartcafe merged commit 62d1565 into stable-8 Apr 9, 2026
49 checks passed
@dependabot dependabot Bot deleted the dependabot/composer/stable-8/league/commonmark-2.8.2 branch April 9, 2026 08:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file php Pull requests that update Php code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dartcafe