Update league/commonmark library from ~2.4.0 to ~2.6.0 ( ~2 ) [#3497352]

Problem/Motivation

Facing a "Found 1 security vulnerability advisory affecting 1 package." warning when using the composer.

Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package           | league/commonmark                                                                |
| Severity          | high                                                                             |
| CVE               | NO CVE                                                                           |
| Title             | league/commonmark's quadratic complexity bugs may lead to a denial of service    |
| URL               | https://github.com/advisories/GHSA-c2pc-g5qf-rfrf                                |
| Affected versions | <2.6.0                                                                           |
| Reported at       | 2024-12-09T20:42:07+00:00                                                        |
| Advisory ID       | PKSA-fndg-qryc-dyc9                                                              |
+-------------------+----------------------------------------------------------------------------------+

thephpleague/commonmark 2.6.1 was released on 2024/12/29
https://github.com/thephpleague/commonmark/releases/tag/2.6.1

Proposed resolution

Change league/commonmark to ~2 in the composer.json files.

Remaining tasks

✅ File an issue about this project
✅ Addition/Change/Update/Fix to this project
✅ Testing to ensure no regression
➖ Automated unit/functional testing coverage
➖ Developer Documentation support on feature change/addition
➖ User Guide Documentation support on feature change/addition
➖ UX/UI designer responsibilities
➖ Accessibility and Readability
✅ Code review from 1 Varbase core team member
✅ Full testing and approval
✅ Credit contributors
✅ Review with the product owner
✅ Update Release Notes and Update Helper on new feature change/addition
✅ Release varbase-10.0.3, varbase_components-2.0.9

Varbase update type

✅ No Update
➖ Optional Update
➖ Forced Update
➖ Forced Update if Unchanged

User interface changes

API changes

Data model changes

Release notes snippet

Issue #3497352: Updated league/commonmark library from ~2.4.0 to ~2.6.0 ( ~2 )

Comments

Comment #1

4 January 2025 at 14:31

rajab natshah created an issue. See original summary.

Comment #2

4 January 2025 at 14:33

rajab natshah committed 150b3dce on 2.0.x

Issue #3497352: Update league/commonmark from ~2.4.0 to ~2.6.0 ( ~2 )

Comment #3

rajab natshah

he/him

commented 4 January 2025 at 15:06

Title:	Update league/commonmark from ~2.4.0 to ~2.6.0 ( ~2 )	» Update league/commonmark library from ~2.4.0 to ~2.6.0 ( ~2 )
Assigned:	rajab natshah	» Unassigned
Issue summary:	View changes
Status:	Active	» Needs review
Issue tags:		+varbase-10.0.3, +varbase_components-2.0.9