Register | Log in

node-markdown-it

Fast and easy to extend markdown parser

Choose email to subscribe with

general

source: node-markdown-it (main)
version: 22.2.3+dfsg+~12.2.3-5
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Sakshi Sangwan [DMD]
arch: all
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 10.0.0+dfsg-2+deb11u1
oldstable: 22.2.3+dfsg+~12.2.3-2
stable: 22.2.3+dfsg+~12.2.3-2
testing: 22.2.3+dfsg+~12.2.3-4
unstable: 22.2.3+dfsg+~12.2.3-5

versioned links

10.0.0+dfsg-2+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
22.2.3+dfsg+~12.2.3-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
22.2.3+dfsg+~12.2.3-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
22.2.3+dfsg+~12.2.3-5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

node-markdown-it

action needed

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2026-48988: markdown-it is a Markdown parser. Versions 14.1.1 and below contain a denial-of-service vulnerability when typographer: true is enabled, due to quadratic (O(n^2)) processing in the smartquotes rule. The issue stems from repeatedly modifying strings with replaceAt(), which performs O(n) slicing and concatenation per quote character. This can cause excessive CPU consumption when parsing quote-heavy, user-supplied markdown and may let attackers degrade or disrupt service availability. Although typographer is disabled by default, many production apps enable it for smart typography, making the issue relevant. This issue has been fixed in version 14.2.0.

Created: 2026-06-18 Last update: 2026-06-29 00:02

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2026-48988: markdown-it is a Markdown parser. Versions 14.1.1 and below contain a denial-of-service vulnerability when typographer: true is enabled, due to quadratic (O(n^2)) processing in the smartquotes rule. The issue stems from repeatedly modifying strings with replaceAt(), which performs O(n) slicing and concatenation per quote character. This can cause excessive CPU consumption when parsing quote-heavy, user-supplied markdown and may let attackers degrade or disrupt service availability. Although typographer is disabled by default, many production apps enable it for smart typography, making the issue relevant. This issue has been fixed in version 14.2.0.

Created: 2026-06-18 Last update: 2026-06-29 00:02

1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:

CVE-2026-48988: markdown-it is a Markdown parser. Versions 14.1.1 and below contain a denial-of-service vulnerability when typographer: true is enabled, due to quadratic (O(n^2)) processing in the smartquotes rule. The issue stems from repeatedly modifying strings with replaceAt(), which performs O(n) slicing and concatenation per quote character. This can cause excessive CPU consumption when parsing quote-heavy, user-supplied markdown and may let attackers degrade or disrupt service availability. Although typographer is disabled by default, many production apps enable it for smart typography, making the issue relevant. This issue has been fixed in version 14.2.0.

Created: 2026-06-18 Last update: 2026-06-29 00:02

1 open merge request in Salsa normal

There is 1 open merge request for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2025-08-19 Last update: 2025-08-19 06:28

debian/patches: 2 patches to forward upstream low

Among the 7 debian patches available in version 22.2.3+dfsg+~12.2.3-5 of the package, we noticed the following issues:

2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-06-29 10:49

1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:

CVE-2026-48988: (needs triaging) markdown-it is a Markdown parser. Versions 14.1.1 and below contain a denial-of-service vulnerability when typographer: true is enabled, due to quadratic (O(n^2)) processing in the smartquotes rule. The issue stems from repeatedly modifying strings with replaceAt(), which performs O(n) slicing and concatenation per quote character. This can cause excessive CPU consumption when parsing quote-heavy, user-supplied markdown and may let attackers degrade or disrupt service availability. Although typographer is disabled by default, many production apps enable it for smart typography, making the issue relevant. This issue has been fixed in version 14.2.0.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-06-18 Last update: 2026-06-29 00:02

testing migrations

excuses:
- Migration status for node-markdown-it (22.2.3+dfsg+~12.2.3-4 to 22.2.3+dfsg+~12.2.3-5): Waiting for test results or another package, or too young (no action required now - check later)
- Issues preventing migration:
- ∙ ∙ Autopkgtest for node-markdown-it/22.2.3+dfsg+~12.2.3-5: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for node-markdown-it-texmath/1.0-2: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for node-prosemirror-markdown/1.8.0-2: amd64: No tests, superficial or marked flaky ♻, arm64: No tests, superficial or marked flaky ♻ (reference ♻), i386: No tests, superficial or marked flaky ♻ (reference ♻), loong64: No tests, superficial or marked flaky ♻ (reference ♻), ppc64el: No tests, superficial or marked flaky ♻ (reference ♻), riscv64: No tests, superficial or marked flaky ♻, s390x: Test triggered
- ∙ ∙ Lintian check waiting for test results - info
- ∙ ∙ Too young, only 0 of 5 days old
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/n/node-markdown-it.html
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- Not considered

news

[2026-06-28] Accepted node-markdown-it 22.2.3+dfsg+~12.2.3-5 (source) into unstable (Xavier Guimard)
[2025-11-25] node-markdown-it 22.2.3+dfsg+~12.2.3-4 MIGRATED to testing (Debian testing watch)
[2025-11-22] Accepted node-markdown-it 22.2.3+dfsg+~12.2.3-4 (source) into unstable (Jérémy Lal)
[2025-07-13] Accepted node-markdown-it 22.2.3+dfsg+~12.2.3-3 (source) into experimental (Jérémy Lal)
[2022-05-03] node-markdown-it 22.2.3+dfsg+~12.2.3-2 MIGRATED to testing (Debian testing watch)
[2022-05-03] node-markdown-it 22.2.3+dfsg+~12.2.3-2 MIGRATED to testing (Debian testing watch)
[2022-05-01] Accepted node-markdown-it 22.2.3+dfsg+~12.2.3-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-04-21] node-markdown-it 22.2.3+dfsg+~12.2.3-1 MIGRATED to testing (Debian testing watch)
[2022-04-18] Accepted node-markdown-it 22.2.3+dfsg+~12.2.3-1 (source) into unstable (Israel Galadima) (signed by: Praveen Arimbrathodiyil)
[2022-03-05] Accepted node-markdown-it 10.0.0+dfsg-2+deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-17] node-markdown-it 10.0.0+dfsg-6 MIGRATED to testing (Debian testing watch)
[2022-01-15] Accepted node-markdown-it 10.0.0+dfsg-6 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-12-05] node-markdown-it 10.0.0+dfsg-5 MIGRATED to testing (Debian testing watch)
[2021-12-02] Accepted node-markdown-it 10.0.0+dfsg-5 (source) into unstable (Jonas Smedegaard)
[2021-11-27] node-markdown-it 10.0.0+dfsg-4 MIGRATED to testing (Debian testing watch)
[2021-11-25] Accepted node-markdown-it 10.0.0+dfsg-4 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-11-05] node-markdown-it 10.0.0+dfsg-3.1 MIGRATED to testing (Debian testing watch)
[2021-11-02] Accepted node-markdown-it 10.0.0+dfsg-3.1 (source) into unstable (Paul Gevers)
[2021-08-29] Accepted node-markdown-it 10.0.0+dfsg-3 (source all) into unstable (Jelmer Vernooĳ) (signed by: Jelmer Vernooij)
[2020-09-11] Accepted node-markdown-it 10.0.0+dfsg-2~bpo10+1 (source all) into buster-backports, buster-backports (Debian FTP Masters) (signed by: Praveen Arimbrathodiyil)
[2020-09-08] node-markdown-it 10.0.0+dfsg-2 MIGRATED to testing (Debian testing watch)
[2020-09-06] Accepted node-markdown-it 10.0.0+dfsg-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-08-20] Accepted node-markdown-it 10.0.0+dfsg-1 (source all) into unstable, unstable (Debian FTP Masters) (signed by: Utkarsh Gupta)

bugs [bug history graph]

all: 0

links

homepage
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 22.2.3+dfsg+~12.2.3-4

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing