chore(deps-dev): bump commonmark from 0.28.1 to 0.29.1

[dependabot-preview]

Bumps commonmark from 0.28.1 to 0.29.1.

Release notes

Sourced from commonmark's releases.

commonmark.js 0.29.1

• Export Renderer (#162, Federico Ramirez). Export the Renderer class so consumers can use it as a base class for their own custom Renderer's. [API change]
• Fix end source position for fenced code and raw HTML (#141).
• Ensure that \ is treated as punctuation character (#161).
• Remove redundant token from reHtmlBlockOpen (Vas Sudanagunta).
• Remove unused variable reWhitespace.
• Don't decode url before encoding it again (Daniel Berndt).
• Don't allow link destinations with unbalanced unescaped parens (#177).
• Don't put quote delims on stack if not --smart.
• Don't add to delim stack if !can_open && !can_close (#172).
• Remove no longer used argument to escapeXml (#169, Robin Stocker).
• Avoid numerical conversion for file names in argv (#164, Alex Kocharin).
• Adapt existing encoding-based regression test and add %25-based regression test (Daniel Berndt).
• Add pathological test for #172 illustrating quadratic time bug.
• Fix pathological case commonmark/cmark#178.
• Add pathological test for cmark#178.
• Dingus: remove debugging console.log.
• Sync .editorconfig indent_size to actual (#178, Vas Sudanagunta).
• Add lint rule for unused variables
• Apply npm audit suggestions.
• Fixed invalid package.json dependency entries (Vas Sudanagunta).

commonmark.js 0.29.0

• Update spec to 0.29.
• Fix parsing of setext headers after reference link definitions.
• Fix code span normalization to conform to spec change.
• Allow empty destinations in link refs. See commonmark/commonmark#172.
• Update link destination parsing.
• dingus: add dependency version requirements (#159, Vas Sudanagunta). Dingus was rendering incorrectly with Bootstrap 4. Added a bower.json which requires Bootstrap, jQuery and Lodash with major version equal to what's currently live. Likewise the minimum patch version.
• package.json: Add version for bower in devDependencies.
• package.json - use ^ operator for versions.
• Allow internal delim runs to match if both have lengths that are multiples of 3. See commonmark/commonmark#528.
• Remove now unused 'preserve_entities' option on escapeXml. This was formerly used (incorrectly) in the HTML renderer. It isn't needed any more. [API change]
• html renderer: Don't preserve entities when rendering href, src, title, info string. This gives rise to double-encoding errors, when the original markdown is e.g. :, since the commonmark reader already unescapes entities. Thanks to Sebastiaan Knijnenburg for noticing this.
• More efficient checking for loose lists. This fixes a case like commonmark/cmark#284.
• Disallow unescaped ( in parenthesized link title.
• Add pathological test (Parsing '[ (]([ (]([ (]([ (](...' takes quadratic time commonmark/cmark#285).
• Comment out failing pathological test for now.
• Add pathological tests for #157.
• Fix two exponential regex backtracking vulnerabilities (#157, Anders Kaseorg). ESCAPED_CHAR already matches \\, so matching it again in another alternative was causing exponential complexity explosion. This makes the following behavior changes: [foo\\\] is no longer incorrectly accepted as a link reference. <foo\> is no longer incorrectly accepted as an angle-bracketed link destination.
• package.json: require lodash >= 4.17.11.
• Require cached-path-relative >= 1.0.2. This fixes a security vulnerability, but it's only in the dev dependencies.
• Update fenced block parsing for spec change.
• Require space before title in reference link. See commonmark/cmark#263.
• Update code span normalization for spec change.
• Removed meta from list of block tags. See commonmark/CommonMark#527.

... (truncated)

Changelog

Sourced from commonmark's changelog.

[0.29.1]

• Export Renderer (#162, Federico Ramirez). Export the Renderer class so consumers can use it as a base class for their own custom Renderer's. [API change]
• Fix end source position for fenced code and raw HTML (#141).
• Ensure that \ is treated as punctuation character (#161).
• Remove redundant token from reHtmlBlockOpen (Vas Sudanagunta).
• Remove unused variable reWhitespace.
• Don't decode url before encoding it again (Daniel Berndt).
• Don't allow link destinations with unbalanced unescaped parens (#177).
• Don't put quote delims on stack if not --smart.
• Don't add to delim stack if !can_open && !can_close (#172).
• Remove no longer used argument to escapeXml (#169, Robin Stocker).
• Avoid numerical conversion for file names in argv (#164, Alex Kocharin).
• Adapt existing encoding-based regression test and add %25-based regression test (Daniel Berndt).
• Add pathological test for #172 illustrating quadratic time bug.
• Fix pathological case commonmark/cmark#178.
• Add pathological test for cmark#178.
• Dingus: remove debugging console.log.
• Sync .editorconfig indent_size to actual (#178, Vas Sudanagunta).
• Add lint rule for unused variables
• Apply npm audit suggestions.
• Fixed invalid package.json dependency entries (Vas Sudanagunta).

[0.29.0]

• Update spec to 0.29.
• Fix parsing of setext headers after reference link definitions.
• Fix code span normalization to conform to spec change.
• Allow empty destinations in link refs. See commonmark/commonmark#172.
• Update link destination parsing.
• dingus: add dependency version requirements (#159, Vas Sudanagunta). Dingus was rendering incorrectly with Bootstrap 4. Added a bower.json which requires Bootstrap, jQuery and Lodash with major version equal to what's currently live. Likewise the minimum patch version.
• package.json: Add version for bower in devDependencies.
• package.json - use ^ operator for versions.
• Allow internal delim runs to match if both have lengths that are multiples of 3. See commonmark/commonmark#528.
• Remove now unused 'preserve_entities' option on escapeXml. This was formerly used (incorrectly) in the HTML renderer. It isn't needed any more. [API change]
• html renderer: Don't preserve entities when rendering href, src, title, info string. This gives rise to double-encoding errors, when the original markdown is e.g. :, since the commonmark reader already unescapes entities. Thanks to Sebastiaan Knijnenburg for noticing this.
• More efficient checking for loose lists.

... (truncated)

Commits

• 2feaec3 New dist.
• b916820 Bump version to 0.29.1.
• 1f5a827 Fix end source position for fenced code and raw HTML.
• 94ad030 Apply npm audit suggestions.
• 3465f27 Fixed invalid package.json dependency entries.
• 0a304ac Merge pull request #181 from vassudanagunta/tiny-patch
• aee219e Remove unused variable reWhitespace.
• 5c5623a Add lint rule for unused variables
• cd03322 Merge pull request #179 from danielberndt/patch-1
• edd1f4a do not require decode, as it's not needed any more
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[dependabot-preview]

Superseded by #158.