This repository has been archived by the owner on Oct 23, 2024. It is now read-only.
chore(deps): update dependency pygments to v2.15.0 [security] #3360
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==2.7.2
->==2.15.0
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2021-27291
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.
CVE-2021-20270
An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.
CVE-2022-40896
A ReDoS issue was discovered in
pygments/lexers/smithy.py
in Pygments until 2.15.0 via SmithyLexer.Release Notes
pygments/pygments (Pygments)
v2.15.0
Compare Source
(released April 10th, 2023)
Added lexers:
Updated lexers:
AMDGPU: Add support for
scratch_
instructions, theattr*.*
argument,as well as the
off
modifier (#2327).APDL: Miscellaneous improvements (#2314)
bash/tcsh:
break
to keywords (#2377)Chapel: Support attributes (#2376)
CMake: Implement bracket style comments (#2338, #2354)
CSS: Improve lexing of numbers inside function calls (#2382, #2383)
diff: Support normal diff syntax, as opposed to unified diff syntax (#2321)
GLSL, HLSL:
LilyPond: minor update of builtins
PHP: support attributes (#2055, #2347, #2360), fix anonymous classes without
parameters (#2359), improve lexing of variable variable syntax (#2358)
Python:
None
(#2406)Rebol/Red: Don't require script headers (#2348, #2349)
Spice: Update keywords (#2336)
SQL+Jinja (
analyse_text
method): Fix catastrophic backtracking (#2355)Terraform: Add
hcl
alias (#2375)Declare support for Python 3.11 and drop support for Python 3.6 (#2324).
Update
native
style to improve contrast (#2325).Update `github-dark`` style to match latest Primer style (#2401)
Revert a change that made guessing lexers based on file names slower
on Python 3.10 and older (#2328).
Fix some places where a locale-dependent encoding could unintentionally
be used instead of UTF-8 (#2326).
Fix Python traceback handling (#2226, #2329).
Groff formatter: sort color definitions for reproducibility (#2343)
Move project metadata to
pyproject.toml
, removesetup.py
and
setup.cfg
(#2342)The top-level
Makefile
has been removed. Instead, all shortcutsfor developing are now defined and run through tox. The
doc
folderstill contains a
Makefile
as an alternative totox -e doc
.v2.14.0
Compare Source
(released January 1st, 2023)
Added lexers:
Updated lexers:
Abap: Update keywords (#2281)
Alloy: Update for Alloy 6 (#1963)
C family (C, C++ and many others):
definition due to braces in comments (#2210)
C#: Fix number and operator recognition (#2256, #2257)
CSound: Updated builtins (#2268)
F#: Add
.fsx
file extension (#2282)gas (GNU assembler): recognize braces as punctuation (#2230)
HTTP: Add
CONNECT
keyword (#2242)Inform 6: Fix lexing of properties and doubles (#2214)
INI: Allow comments that are not their own line (#2217, #2161)
Java properties: Fix issue with whitespace-delimited keys, support
comments starting with
!
and escapes, no longer support undocumented;
and//
comments (#2241)LilyPond: Improve heuristics, add
\maxima
duration (#2283)LLVM: Add opaque pointer type (#2269)
Macaulay2: Update keywords (#2305)
Minecraft-related lexers (SNB and Minecraft function) moved to
pygments.lexers.minecraft
(#2276)Nim: General improvements (#1970)
Nix: Fix single quotes inside indented strings (#2289)
Objective J: Fix catastrophic backtracking (#2225)
NASM: Add support for SSE/AVX/AVX-512 registers as well as 'rel'
and 'abs' address operators (#2212)
Powershell:
local:
keyword (#2254)Solidity: Add boolean operators (#2292)
Spice: Add
enum
keyword and fix a bug regarding binary,hexadecimal and octal number tokens (#2227)
YAML: Accept colons in key names (#2277)
Fix
make mapfiles
when Pygments is not installed in editable mode(#2223)
Support more filetypes and compression types in
autopygmentize
(#2219)Merge consecutive tokens in Autohotkey, Clay (#2248)
Add
.nasm
as a recognized file type for NASM (#2280)Add
*Spec.hs
as a recognized file type forHSpec
(#2308)Add
*.pyi
(for typing stub files) as a recognized file type forPython (#2231)
The HTML lexer no longer emits empty spans for whitespace (#2304)
Fix
IRCFormatter
inserting linenumbers incorrectly (#2270)v2.13.0
Compare Source
(released August 15th, 2022)
Added lexers:
Updated lexers:
because it disturbs lexing of aspects (#2125)
elements of function headers, e.g. between the arguments and
the opening brace for the body (#1891)
Error
tokens (#2207, #2208)Set
and qualified identifiers (#2158)
(#2194)
value
modifier (#2142)appears in the output (#2166)
StarOffice Basic (#2170)
Name.Builtin
instead ofKeyword.Type
(#2136)\"$var\"
inside strings (#2105)\N
,\u
and\U
escape sequencesin string literals, but not in bytes literals where they are
not supported (#2204)
${name}
variables (#2145)<<
heredocdelimiters (#2162)
builtin functions and bin, oct, hex number formats (#2206)
Added styles:
nord
andnord-darker
; #2189, #1799, #1678)Pygments now tries to use the
importlib.metadata
module todiscover plugins instead of the slower
pkg_resources
(#2155). Inparticular, this largely speeds up the
pygmentize
script whenthe lexer is not specified.
importlib.metadata
is only available in the Python standardlibrary since Python 3.8. For older versions, there exists an
importlib_metadata
backport on PyPI. For this reason, Pygmentsnow defines a packaging extra
plugins
, which adds a requirementon
importlib_metadata
if the Python version is older than3.8. Thus, in order to install Pygments with optimal plugin
support even for old Python versions, you should do::
pip install pygments[plugins]
Pygments still falls back on
pkg_resources
if neitherimportlib.metadata
norimportlib_metadata
is found, but itwill be slower.
Silently ignore
BrokenPipeError
in the command-line interface(#2193).
The
HtmlFormatter
now uses thelinespans
attribute foranchorlinenos
if thelineanchors
attribute is unset (#2026).The
highlight
,lex
andformat
functions no longerwrongly report "argument must be a lexer/formatter instance, not a
class" in some cases where this is not the actual problem (#2123).
Fix warnings in doc build (#2124).
The
codetagify
filter now recognizesFIXME
tags by default (#2150).The
pygmentize
command now recognizes if theCOLORTERM
environment variable is set to a value indicating that true-color
support is available. In that case, it uses the
TerminalTrueColorFormatter
by default (#2160)
Remove redundant caches for filename patterns (#2153)
Use new non-deprecated Pillow API for text bounding box in
ImageFormatter
(#2198)
Remove
default_style
(#930, #2183)Stop treating
DeprecationWarnings
as errors in the unit tests (#2196)v2.12.0
Compare Source
(released April 24th, 2022)
Added lexers:
UnixConfigLexer
for "colon-separated" config files, like/etc/passwd
(#2112)Updated lexers:
Agda: Update keyword list (#2017)
C family: Fix identifiers after
case
statements (#2084)Clojure: Highlight ratios (#2042)
Csound: Update to 6.17 (#2064)
CSS: Update the list of properties (#2113)
Elpi:
->
(#2028)Futhark: Add missing tokens (#2118)
Gherkin: Add
But
(#2046)Inform6: Update to 6.36 (#2050)
Jinja2: add
.xxx.j2
and.xxx.jinja2
to relevant lexers(for
xxx
=html
,xml
, etc.) (#2103)JSON: Support C comments in JSON (#2049). Note: This doesn't mean the JSON parser now supports JSONC or JSON5 proper, just that it doesn't error out when seeing a
/* */
or//
style comment. If you need proper comment handling, consider using theJavaScript
lexer.LilyPond:
PHP: Update builtin function and keyword list (#2054, #2056)
Python: highlight
EncodingWarning
(#2106)Savi: fix highlighting for underscore/private identifiers,
add string interpolation (#2102); fix nested type name highlighting
(#2110)
Scheme: Various improvements (#2060)
Spice: Update the keyword list, add new types (#2063, #2067)
Terraform:
Add
plugins
argument toget_all_lexers()
.Bump minimal Python version to 3.6 (#2059)
Fix multiple lexers marking whitespace as
Text
(#2025)Remove various redundant uses of
re.UNICODE
(#2058)Associate
.resource
with the Robot framework (#2047)Associate
.cljc
with Clojure (#2043)Associate
.tpp
with C++ (#2031)Remove traces of Python 2 from the documentation (#2039)
The
native
style was updated to meet the WCAG AAA contrast guidelines (#2038)Fix various typos (#2030)
Fix
Groff
formatter not inheriting token styles correctly (#2024)Various improvements to the CI (#2036)
The Ada lexer has been moved to a separate file (#2117)
When
linenos=table
is used, the<table>
itself is now wrapped with a<div class="highlight">
tag instead of placing it inside the<td class="code">
cell (#632.) With this change, the output matches the documented behavior... note::
If you have subclassed
HtmlFormatter.wrap
, you may have to adjust the logic.v2.11.2
Compare Source
(released January 6th, 2022)
Updated lexers:
record
keywords result inError
tokens in some cases (#2016, #2018)Fix links to line numbers not working correctly (#2014)
Remove
underline
fromWhitespace
style in theTango
theme (#2020)Fix
IRC
andTerminal256
formatters not backtracking correctly for custom token types, resulting in some unstyled tokens (#1986)v2.11.1
Compare Source
(released December 31st, 2021)
Updated lexers:
unsigned int
) (#2008):
to result inError
tokens (#2010)v2.11.0
Compare Source
(released December 30th, 2021)
Added lexers:
.SRCINFO
(#1951)Updated lexers:
ABNF: Allow one-character rules (#1804)
Assembly: Fix incorrect token endings (#1895, #1961)
Bibtex: Distinguish between
comment
andcommentary
(#1899, #1806)C family: Support unicode identifiers (#1848)
CDDL: Fix slow lexing speed (#1959)
Debian control: Add missing fields (#1946)
Devicetree: Recognize hexadecimal addresses for nodes (#1949)
GDScript: Add
void
data type (#1948)GSQL
HTML, XML: Improve comment handling (#1896)
Java: Add
yield
(#1941) and sealed classes/record (#1902)Makefiles (#1860, #1898)
objdump-nasm: Improve handling of
--no-show-raw-insn
dumps (#1981)Prolog: Support escaped
\
inside quoted strings (#1479)Python:
~
in tracebacks (#2004)RobotFramework: Improve empty brace handling (#1921, #1922)
Terraform
Added styles:
LilyPond
language... note::
All of the new styles unfortunately do not conform to WCAG recommendations.
Text
(#1237, #1905, #1908, #1914, #1911, #1923, #1939, #1957, #1978)pygmentize
supports JSON output for the various list functions now, making it easier to consume them from scripts. (#1437, #1890)shell
lexer forkshrc
files (#1947)ruby
lexer forVagrantfile
files (#1936).xbm
and.xpm
files (#1802)groff
formatter (#1873)man
pagesHtmlFormatter
can now emit tooltips for each token to ease debugging of lexers (#1822)f90
as an alias forfortran
(#2000)v2.10.0
Compare Source
(released August 15th, 2021)
Added lexers:
Updated lexers:
C-family: Fix preprocessor token issues (#1830)
C# (#1573, #1869)
CSound (#1837)
Fennel (#1862)
JavaScript (#1741, #1814)
LLVM (#1824)
Python (#1852)
Rust
Scala: Add support for the
\
operator (#1857)Swift (#1767, #1842)
Tcl: Allow
,
and@
in strings (#1834, #1742)TOML (#1870, #1872)
Fix assert statements in TNT lexer.
Token types across all lexers have been unified (using the most common token
type name) (#1816, #1819)
Improve Jasmin min score analysis (#1619)
Add new alias for Go files (#1827)
Fix multi-line console highlighting (#1833)
Add a new trivial lexer which outputs everything as
Text.Generic.Output
(#1835, #1836)Use the
.ini
lexer forsystemd
files (#1849)Fix a
FutureWarning
related towords()
(#1854)pwsh
is now recognized as an alias for PowerShell (#1876)v2.9.0
Compare Source
(released May 3rd, 2021)
Added lexers:
Updated lexers:
:
(#1682, #1758)Add Pango formatter (#1727)
Autopygmentize uses
file
first instead ofpygments -N
(#1786)Fix links (#1716)
Fix issue with LaTeX formatter and
minted
(#1734, #1735, #1736, #1737)Improve alias order (#1780)
Improve line number colors (#1779, #1778)
Fix CTag related issue (#1724)
Recognize
.leex
as Elixir templatesFix incorrect variable being accessed (#1748)
Updated
filename
handling in HTML formatter iflinenos='table'
(#1757)<td>
holding thecode, but outside the
<pre>
. This would invariably break the alignmentwith line numbers.
filename
is specified, a separate<tr>
is emitted before thetable content which contains a single
<th>
withcolspan=2
so itspans both the line number and code columns. The filename is still
within
<span class="filename">...</span>
so any existing stylesshould still apply, although the CSS path may need to change.
table_cls_step_1_start_1_special_0_noanchor_filename.html
in the
tests/html_linenos_expected_output/
directory.https://github.com/pygments/pygments/issues/1757ues/1757
Added styles:
v2.8.1
Compare Source
minted
(#1734, #1735, #1736, #1737)v2.8.0
Compare Source
(released February 14, 2021)
Added lexers:
Updated lexers:
AutoIt: Support single quoted strings (#1667, #1663)
C/C++ & related: Fix mishandling
*/
(#1695)Cocoa: Add builtin types (#1703)
Console (#1672)
Eiffel: Fix performance issues (#1658)
Fortran: Improve combined keyword detection (#1677, #1188)
J: Fix operator
?
lexing (#1700, #1149)JavaScript/TypeScript: Fix escapes in backtick strings (#1679, #1686)
Kotlin: Improve string interpolation, modifier keyword handling, and various small issues (#1699)
LESS: Support single-line comments (#1046)
Matlab:
OpenEdge (#1696)
Python: Improve handling of raw f-strings (#1681, #1683)
Ruby: Better method name handling (#1531)
Stata: Updated keywords (#1470)
Added styles:
The
pygmentize
script now usesargparse
, all options should workas before
Add
pygmentize -C
option to guess a lexer from contentWith this release, Pygments moves to a new internal testing system (#1649.)
See
Contributing.md
for details. The main advantage of this new changeis a much better test coverage of all existing example lexers. It also makes
it much easier to add new test snippets.
Make guessing prefer Python 3 lexer
Do not guess MIME or SQL without reason
Changed setuptools to use a declarative config through
setup.cfg
.Building Pygments now requires setuptools 39.2+.
Add markdown to MarkdownLexer aliases (#1687)
Change line number handling
<table>
based output, thetd.linenos
element will have either anormal
orspecial
class attached. Previously, onlyspecial
linenumbers got a class. This prevents styles from getting applied twice -
once via
<pre>
, once via<span class="special">
. This also meansthat
td.linenos pre
is no longer styled, instead, usetd.linenos .normal
andtd.linenos .special
.is added first, then the line is wrapped is wrapped by the highlighter.
This fixes lines not being fully highlighted.
as well as class-based and inline styling is now consistent.
background-color: transparent
andcolor: inherit
by default. This works much better with dark styleswhich don't have colors set for line numbers.
Remove "raw" alias from RawTokenLexer, so that it cannot be
selected by alias.
Fix RawTokenLexer to work in Python 3 and handle exceptions.
Add prompt colors to the Solarized theme (#1529)
Image formatter supports background colors now (#1374)
Add support for anchors in conjunction with inline line numbers (#1591)
Modernize the codebase using
pyupgrade
(#1622)Add support for line numbers to the
terminal256
formatter (#1674, #1653)Improve
analyze_text
logic forECL
(#1610)Improve
analyze_text
logic forCBM Basic V2
(#1607)Improve LaTeX formatter (#1708, #1709)
v2.7.4
Compare Source
(released January 12, 2021)
Updated lexers:
Apache configurations: Improve handling of malformed tags (#1656)
CSS: Add support for variables (#1633, #1666)
Crystal (#1650, #1670)
Coq (#1648)
Fortran: Add missing keywords (#1635, #1665)
Ini (#1624)
JavaScript and variants (#1647 -- missing regex flags, #1651)
Markdown (#1623, #1617)
Shell
in
keyword (#1652)SQL - Fix keywords (#1668)
Typescript: Fix incorrect punctuation handling (#1510, #1511)
Fix infinite loop in SML lexer (#1625),
CVE-2021-20270 <https://nvd.nist.gov/vuln/detail/CVE-2021-20270>
_Fix backtracking string regexes in JavaScript/TypeScript, Modula2
and many other lexers (#1637)
CVE-2021-27291 <https://nvd.nist.gov/vuln/detail/CVE-2021-27291>
_Limit recursion with nesting Ruby heredocs (#1638)
Fix a few inefficient regexes for guessing lexers
Fix the raw token lexer handling of Unicode (#1616)
Revert a private API change in the HTML formatter (#1655) --
please note that private APIs remain subject to change!
Fix several exponential/cubic-complexity regexes found by
Ben Caller/Doyensec (#1675)
Fix incorrect MATLAB example (#1582)
Thanks to Google's OSS-Fuzz project for finding many of these bugs.
v2.7.3
Compare Source
(released December 6, 2020)
Updated lexers:
Deprecated JsonBareObjectLexer, which is now identical to JsonLexer (#1600)
The
ImgFormatter
now calculates the exact character width, which fixes some issues with overlapping text (#1213, #1611)Documentation fixes (#1609, #1599, #1598)
Fixed duplicated Juttle language alias (#1604, #1606)
Added support for Kotlin scripts (#1587)
Removed CSS rule which forced margin to 0
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.