Bump comrak from 0.16.0 to 0.17.1

[dependabot[bot]]

Bumps comrak from 0.16.0 to 0.17.1.

Release notes

Sourced from comrak's releases.

0.17.1

What's Changed

• Fix some panics found by trivial fuzzing.

Full Changelog: https://github.com/kivikakk/comrak/compare/0.17.0...0.17.1

0.17.0

What's Changed

This contains some breaking changes from an API point of view, but output is largely unchanged. Spec compliance is improved, and benchmark runtime is over 20% faster.

• SECURITY: GHSA-8hqf-xjwp-p67v / Quadratic runtime when parsing Markdown (GHSL-2023-047)
  • A variety of quadratic runtime issues that could lead to DoS were reported and addressed.
  • We replaced pest with an re2c-based scanner.
• SECURITY: GHSA-xxmq-4vph-956w / Excessive output when parsing Markdown (GHSL-2023-048)
  • Reference output is limited to 100Kb.
• SECURITY: GHSA-5r3x-p7xx-x6q5 / Attacker controlled data in AST nodes is not validated (GHSL-2023-049)
  • AST nodes no longer store raw Vec<u8>s, and instead store Strings.
• Various API points were cleaned up.
• Comrak now targets Rust 2018.
• Add footnote attributes that mirror cmark-gfm by @​digitalmoksha in kivikakk/comrak#273
• Add support for full_info_string render option by @​digitalmoksha in kivikakk/comrak#276
• chore: improve debug performance by @​conradludgate in kivikakk/comrak#283

Many thanks to @​philipturnbull and @​darakian of the GitHub Security Lab for bringing these issues to my attention and detailing the reproduction steps for each case.

New Contributors

• @​digitalmoksha made their first contribution in kivikakk/comrak#273
• @​conradludgate made their first contribution in kivikakk/comrak#283

Full Changelog: https://github.com/kivikakk/comrak/compare/0.16.0...0.17.0

Changelog

Sourced from comrak's changelog.

0.17.1

• Fix some panics found by trivial fuzzing.

Missed from the 0.17.0 changelog:

• Add footnote attributes that mirror cmark-gfm by @​digitalmoksha in kivikakk/comrak#273
• Add support for full_info_string render option by @​digitalmoksha in kivikakk/comrak#276
• chore: improve debug performance by @​conradludgate in kivikakk/comrak#283

0.17.0

This contains some breaking changes from an API point of view, but output is largely unchanged. Spec compliance is improved, and benchmark runtime is over 20% faster.

• SECURITY: GHSA-8hqf-xjwp-p67v / Quadratic runtime when parsing Markdown (GHSL-2023-047)
  • https://github.com/kivikakk/comrak/security/advisories/GHSA-8hqf-xjwp-p67v
  • A variety of quadratic runtime issues that could lead to DoS were reported and addressed.
  • We replaced pest with an re2c-based scanner.
• SECURITY: GHSA-xxmq-4vph-956w / Excessive output when parsing Markdown (GHSL-2023-048)
  • https://github.com/kivikakk/comrak/security/advisories/GHSA-xxmq-4vph-956w
  • Reference output is limited to 100Kb.
• SECURITY: GHSA-5r3x-p7xx-x6q5 / Attacker controlled data in AST nodes is not validated (GHSL-2023-049)
  • https://github.com/kivikakk/comrak/security/advisories/GHSA-5r3x-p7xx-x6q5
  • AST nodes no longer store raw Vec<u8>s, and instead store Strings.
• Various API points were cleaned up.
• Comrak now targets Rust 2018.

Many thanks to @​philipturnbull and @​darakian of the GitHub Security Lab for bringing these issues to my attention and detailing the reproduction steps for each case.

Commits

• 2771eb4 0.17.1
• 1e05b8c Cargo.toml: update tempfile, drop remove_dir_all
• 5837332 Merge pull request #287 from kivikakk/fuzzing
• 76e9cef fuzz: fuzz with all options, and also fuzz a variety of options
• a86f667 scanners: special care required with EOF match
• 3c45d59 inlines: use peek_char_n here
• 59a312b fuzz: start with one case
• 0ce75b1 README: update "other libraries"
• 60f0949 README, COPYING, etc.
• 9b7759c changelog: three missed attributions
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)