chore: bump up katex version to v0.16.21 [SECURITY] (#9771)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [katex](https://katex.org) ([source](https://redirect.github.com/KaTeX/KaTeX)) | [`0.16.20` -> `0.16.21`](https://renovatebot.com/diffs/npm/katex/0.16.20/0.16.21) | [![age](https://developer.mend.io/api/mc/badges/age/npm/katex/0.16.21?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/katex/0.16.21?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/katex/0.16.20/0.16.21?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/katex/0.16.20/0.16.21?slim=true)](https://docs.renovatebot.com/merge-confidence/) |

### GitHub Vulnerability Alerts

#### [CVE-2025-23207](https://redirect.github.com/KaTeX/KaTeX/security/advisories/GHSA-cg87-wmx4-v546)

### Impact
KaTeX users who render untrusted mathematical expressions with `renderToString` could encounter malicious input using `\htmlData` that runs arbitrary JavaScript, or generate invalid HTML.

### Patches
Upgrade to KaTeX v0.16.21 to remove this vulnerability.

### Workarounds
- Avoid use of or turn off the `trust` option, or set it to forbid `\htmlData` commands.
- Forbid inputs containing the substring `"\\htmlData"`.
- Sanitize HTML output from KaTeX.

### Details
`\htmlData` did not validate its attribute name argument, allowing it to generate invalid or malicious HTML that runs scripts.

### For more information
If you have any questions or comments about this advisory:

- Open an issue or security advisory in the [KaTeX repository](https://redirect.github.com/KaTeX/KaTeX/)
- Email us at [katex-security@mit.edu](mailto:katex-security@mit.edu)

---

### Release Notes

<details>
<summary>KaTeX/KaTeX (katex)</summary>

### [`v0.16.21`](https://redirect.github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01621-2025-01-17)

[Compare Source](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.20...v0.16.21)

##### Bug Fixes

-   escape \htmlData attribute name ([57914ad](https://redirect.github.com/KaTeX/KaTeX/commit/57914ad91eff401357f44bf364b136d37eba04f8))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xMDcuMCIsInVwZGF0ZWRJblZlciI6IjM5LjEwNy4wIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->
This commit is contained in:
renovate
2025-01-18 08:18:04 +00:00
parent 95c0f59d96
commit 59611fa002
+3 -3
View File
@@ -24939,13 +24939,13 @@ __metadata:
linkType: hard
"katex@npm:^0.16.0, katex@npm:^0.16.11":
version: 0.16.20
resolution: "katex@npm:0.16.20"
version: 0.16.21
resolution: "katex@npm:0.16.21"
dependencies:
commander: "npm:^8.3.0"
bin:
katex: cli.js
checksum: 10/b4af75daf20e070694947a49fa7aeb3eca63effc00027b1a57c4e1085df1e90d29bfb06974661caa450717292897acbb5267f7655b463964d14cb74ad7cbb32f
checksum: 10/db1094c528972ffb881c64969e87cbca465d21f918f4dad8bfe583f68e1bd601438eda3d79e8d74bc7ccc14e7b76616a9053bb21945749a30a73bc68f20e721b
languageName: node
linkType: hard