Skip to content

0.17.0

Compare
Choose a tag to compare
@kivikakk kivikakk released this 28 Mar 01:15
· 468 commits to main since this release

What's Changed

This contains some breaking changes from an API point of view, but output is largely unchanged. Spec compliance is improved, and benchmark runtime is over 20% faster.

  • SECURITY: GHSA-8hqf-xjwp-p67v / Quadratic runtime when parsing Markdown (GHSL-2023-047)
    • A variety of quadratic runtime issues that could lead to DoS were reported and addressed.
    • We replaced pest with an re2c-based scanner.
  • SECURITY: GHSA-xxmq-4vph-956w / Excessive output when parsing Markdown (GHSL-2023-048)
    • Reference output is limited to 100Kb.
  • SECURITY: GHSA-5r3x-p7xx-x6q5 / Attacker controlled data in AST nodes is not validated (GHSL-2023-049)
    • AST nodes no longer store raw Vec<u8>s, and instead store Strings.
  • Various API points were cleaned up.
  • Comrak now targets Rust 2018.
  • Add footnote attributes that mirror cmark-gfm by @digitalmoksha in #273
  • Add support for full_info_string render option by @digitalmoksha in #276
  • chore: improve debug performance by @conradludgate in #283

Many thanks to @philipturnbull and @darakian of the GitHub Security Lab for bringing these issues to my attention and detailing the reproduction steps for each case.

New Contributors

Full Changelog: 0.16.0...0.17.0