Skip to content

fix: update mdast-util-to-hast to >= 13.2.1 to address CVE-2025-66400 #10593

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
roomote wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

fix: update mdast-util-to-hast to >= 13.2.1 to address CVE-2025-66400 #10593

roomote wants to merge 1 commit into from
+11 −67

Conversation

@roomote
Copy link
Contributor

@roomote roomote bot commented Jan 10, 2026
edited by ellipsis-dev bot
Loading

This PR updates mdast-util-to-hast to version 13.2.1 or higher to address security vulnerability CVE-2025-66400 (GHSA-4fh9-h7wg-q85m).

Changes

  • Added pnpm override for mdast-util-to-hast >= 13.2.1 in package.json
  • Updated pnpm-lock.yaml to use mdast-util-to-hast@13.2.1 (previously used 13.2.0 and 10.2.0)

Testing

  • ✅ All lint checks pass
  • ✅ All type checks pass
  • ✅ Verified mdast-util-to-hast@13.2.1 is used throughout the lockfile

View task on Roo Code Cloud

Important

Update mdast-util-to-hast to >=13.2.1 to fix CVE-2025-66400.

  • Security Update:
    • Updated mdast-util-to-hast to >=13.2.1 in package.json to address CVE-2025-66400.
    • Updated pnpm-lock.yaml to use mdast-util-to-hast@13.2.1.
  • Testing:
    • All lint and type checks pass.
    • Verified mdast-util-to-hast@13.2.1 is consistently used in the lockfile.

This description was created by Ellipsis for 40376cd. You can customize this summary. It will automatically update as commits are pushed.

@roomote
Copy link
Contributor Author

roomote bot commented Jan 10, 2026
edited
Loading

Rooviewer Clock   See task on Roo Cloud

Review complete. No issues found.

This is a clean security patch that properly addresses CVE-2025-66400 by adding a pnpm override for mdast-util-to-hast >= 13.2.1. The lockfile has been correctly updated to use the patched version throughout.

Mention @roomote in a comment to request specific changes to this pull request or fix all unresolved issues.

@hannesrudolph hannesrudolph added the Issue/PR - Triage New issue. Needs quick review to confirm validity and assign labels. label Jan 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrubens mrubens Awaiting requested review from mrubens mrubens will be requested when the pull request is marked ready for review mrubens is a code owner

@cte cte Awaiting requested review from cte cte will be requested when the pull request is marked ready for review cte is a code owner

@jr jr Awaiting requested review from jr jr will be requested when the pull request is marked ready for review jr is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Issue/PR - Triage New issue. Needs quick review to confirm validity and assign labels.

Projects

Roo Code Roadmap
Status: Triage

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hannesrudolph @roomote