Skip to content

Comments

chore(deps): Bump erusev/parsedown from 1.7.4 to 1.8.0#473

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/composer/erusev/parsedown-1.8.0
Open

chore(deps): Bump erusev/parsedown from 1.7.4 to 1.8.0#473
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/composer/erusev/parsedown-1.8.0

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 21, 2026

Bumps erusev/parsedown from 1.7.4 to 1.8.0.

Release notes

Sourced from erusev/parsedown's releases.

1.8.0

The first stable release in over six years. Requires PHP 7.1+.

Breaking Changes

  • PHP 7.1 minimum -- dropped support for PHP 5.3, 5.4, 5.5, 5.6, and 7.0.
  • List separation by marker type -- lists using different markers (*, +, -, or switching between . and ) for ordered lists) are now treated as separate lists, matching the CommonMark spec.
  • Lazy blockquotes -- consecutive blockquotes separated by a blank line are no longer merged into one, per CommonMark.
  • Sparse HTML blocks -- blank lines inside block-level HTML are now wrapped in <p> tags instead of being preserved as-is.
  • Empty ATX headings -- # and ## on their own now produce <h1></h1> and <h2></h2> instead of being treated as paragraphs.
  • Extensions accessing block internals may need to update: the element structure uses element instead of text in some places (e.g. $Block['element']['element']['text'] instead of $Block['element']['text']['text']).

Security

  • Regex patterns throughout the parser now use possessive quantifiers (*+, ++) to prevent catastrophic backtracking (ReDoS). This addresses denial-of-service vectors where malformed emphasis markers or other adversarial input could cause memory exhaustion or hangs.
  • Safe mode now sanitizes nested elements correctly via recursive AST traversal. Previously, sanitization only applied at the top level.
  • Extensions can mark self-produced HTML as trusted using allowRawHtmlInSafeMode so it isn't escaped in safe mode, while untrusted input remains escaped.

PHP Compatibility

  • Fixed implicit nullable parameter deprecations for PHP 8.4+.
  • Updated PHPUnit dependency and test infrastructure for modern PHP.
  • CI moved from Travis CI to GitHub Actions.

CommonMark Compliance

  • Setext headings now handle leading/trailing spaces correctly.
  • ATX heading closing # sequences are trimmed properly (e.g. # # of levels # # renders as <h1># of levels #</h1>).
  • Ordered lists support ) as a marker in addition to ..
  • Ordered lists starting with a number other than 1 no longer interrupt paragraphs.
  • One-column tables are now supported.
  • Fenced code blocks require the closing fence to have at least as many backticks/tildes as the opening fence.
  • HTML comments follow the CommonMark spec more closely.
  • Email autolinks validate against the CommonMark email definition.
  • Escaped tilde characters (\~\~) are no longer treated as strikethrough.

New Features

  • Strict mode (setStrictMode(true)) -- requires a space after # in ATX headings (CommonMark-compliant behavior).

Bug Fixes

  • Fixed "Uninitialized string offset" errors on certain inputs.
  • Fixed adjacent blockquotes being incorrectly merged.
  • Fixed line-break standardization when using the line() method directly.
  • Fixed table header validation (headers containing newlines are no longer accepted).
  • Fixed spaces in fenced code block class names.

Version 1.8.0-beta-6

This is a pre-release.

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps): Bump erusev/parsedown from 1.7.4 to 1.8.0
98e2532 
Bumps [erusev/parsedown](https://github.com/erusev/parsedown) from 1.7.4 to 1.8.0.
- [Release notes](https://github.com/erusev/parsedown/releases)
- [Commits](erusev/parsedown@1.7.4...1.8.0)

---
updated-dependencies:
- dependency-name: erusev/parsedown
  dependency-version: 1.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies php Pull requests that update php code labels Feb 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies php Pull requests that update php code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants