From df906fe3987a57c0d085fccc7fd2f52c69581d1d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sk=C3=BAli=20Arnlaugsson?=
 <arnlaugsson@users.noreply.github.com>
Date: Mon, 8 Dec 2025 14:36:30 +0000
Subject: [PATCH] Update mdast-util-to-hast version to 13.2.1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVE-2025-66400: mdast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user-supplied markdown code elements appear like the rest of the page. This vulnerability is fixed in 13.2.1.

Medium Vulnerability.

Signed-off-by: Skúli Arnlaugsson <arnlaugsson@users.noreply.github.com>
---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 35fe1fa..659294d 100644
--- a/package.json
+++ b/package.json
@@ -53,7 +53,7 @@
     "devlop": "^1.0.0",
     "hast-util-to-jsx-runtime": "^2.0.0",
     "html-url-attributes": "^3.0.0",
-    "mdast-util-to-hast": "^13.0.0",
+    "mdast-util-to-hast": "^13.2.1",
     "remark-parse": "^11.0.0",
     "remark-rehype": "^11.0.0",
     "unified": "^11.0.0",