chore(deps): update dependency mdast-util-to-hast to v13.2.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
mdast-util-to-hast	13.2.0 → 13.2.1

GitHub Vulnerability Alerts

CVE-2025-66400

Impact

Multiple (unprefixed) classnames could be added in markdown source by using character references.
This could make rendered user supplied markdown code elements appear like the rest of the page.
The following markdown:

```js xss
```

Would create <pre><code class="language-js xss"></code></pre>
If your page then applied .xss classes (or listeners in JS), those apply to this element.
For more info see https://github.com/ChALkeR/notes/blob/master/Improper-markup-sanitization.md#unsanitized-class-attribute

Patches

The bug was patched. When using regular semver, run npm install. For exact ranges, make sure to use 13.2.1.

Workarounds

Update.

References

• bug introduced in syntax-tree/mdast-util-to-hast@6fc783a
• bug fixed in syntax-tree/mdast-util-to-hast@ab3a795

---

Release Notes

syntax-tree/mdast-util-to-hast (mdast-util-to-hast)

v13.2.1

Compare Source

Fix

• ab3a795 Fix support for spaces in class names

Types

• efb5312 Refactor to use @imports
• a5bc210 Add declaration maps

Full Changelog: syntax-tree/mdast-util-to-hast@13.2.0...13.2.1

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.