chore(deps): update dependency pygments to v2.7.4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
Pygments (source, changelog)	==2.7.2 -> ==2.7.4

---

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2021-27291

In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.

CVE-2021-20270

An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

---

Release Notes

pygments/pygments

v2.7.4

Compare Source

(released January 12, 2021)

• Updated lexers:

  • Apache configurations: Improve handling of malformed tags (#​1656)

  • CSS: Add support for variables (#​1633, #​1666)

  • Crystal (#​1650, #​1670)

  • Coq (#​1648)

  • Fortran: Add missing keywords (#​1635, #​1665)

  • Ini (#​1624)

  • JavaScript and variants (#​1647 -- missing regex flags, #​1651)

  • Markdown (#​1623, #​1617)

  • Shell

    • Lex trailing whitespace as part of the prompt (#​1645)
    • Add missing in keyword (#​1652)

  • SQL - Fix keywords (#​1668)

  • Typescript: Fix incorrect punctuation handling (#​1510, #​1511)

• Fix infinite loop in SML lexer (#​1625), CVE-2021-20270 <https://nvd.nist.gov/vuln/detail/CVE-2021-20270>_

• Fix backtracking string regexes in JavaScript/TypeScript, Modula2
  and many other lexers (#​1637) CVE-2021-27291 <https://nvd.nist.gov/vuln/detail/CVE-2021-27291>_

• Limit recursion with nesting Ruby heredocs (#​1638)

• Fix a few inefficient regexes for guessing lexers

• Fix the raw token lexer handling of Unicode (#​1616)

• Revert a private API change in the HTML formatter (#​1655) --
  please note that private APIs remain subject to change!

• Fix several exponential/cubic-complexity regexes found by
  Ben Caller/Doyensec (#​1675)

• Fix incorrect MATLAB example (#​1582)

Thanks to Google's OSS-Fuzz project for finding many of these bugs.

v2.7.3

Compare Source

(released December 6, 2020)

• Updated lexers:

  • Ada (#​1581)
  • HTML (#​1615, #​1614)
  • Java (#​1594, #​1586)
  • JavaScript (#​1605, #​1589, #​1588)
  • JSON (#​1569 -- this is a complete rewrite)
  • Lean (#​1601)
  • LLVM (#​1612)
  • Mason (#​1592)
  • MySQL (#​1555, #​1551)
  • Rust (#​1608)
  • Turtle (#​1590, #​1553)

• Deprecated JsonBareObjectLexer, which is now identical to JsonLexer (#​1600)

• The ImgFormatter now calculates the exact character width, which fixes some issues with overlapping text (#​1213, #​1611)

• Documentation fixes (#​1609, #​1599, #​1598)

• Fixed duplicated Juttle language alias (#​1604, #​1606)

• Added support for Kotlin scripts (#​1587)

• Removed CSS rule which forced margin to 0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.