Skip to content

chore(deps): update dependency pygments to v2.15.0 [security]#215

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/pypi-pygments-vulnerability
Open

chore(deps): update dependency pygments to v2.15.0 [security]#215
renovate[bot] wants to merge 1 commit intomainfrom
renovate/pypi-pygments-vulnerability

Conversation

@renovate
Copy link

@renovate renovate bot commented Jul 26, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
Pygments (changelog) ==2.9.0==2.15.0 age confidence

GitHub Vulnerability Alerts

CVE-2022-40896

A ReDoS issue was discovered in pygments/lexers/smithy.py in Pygments until 2.15.0 via SmithyLexer.

Release Notes

pygments/pygments (Pygments)

v2.15.0

Compare Source

(released April 10th, 2023)

  • Added lexers:

  • Updated lexers:

    • AMDGPU: Add support for scratch_ instructions, the attr*.* argument,
      as well as the off modifier (#​2327).

    • APDL: Miscellaneous improvements (#​2314)

    • bash/tcsh:

    • Chapel: Support attributes (#​2376)

    • CMake: Implement bracket style comments (#​2338, #​2354)

    • CSS: Improve lexing of numbers inside function calls (#​2382, #​2383)

    • diff: Support normal diff syntax, as opposed to unified diff syntax (#​2321)

    • GLSL, HLSL:

      • Support line continuations in preprocessor code (#​2350)
      • Improve preprocessor directive handling (#​2357)

    • LilyPond: minor update of builtins

    • PHP: support attributes (#​2055, #​2347, #​2360), fix anonymous classes without
      parameters (#​2359), improve lexing of variable variable syntax (#​2358)

    • Python:

    • Rebol/Red: Don't require script headers (#​2348, #​2349)

    • Spice: Update keywords (#​2336)

    • SQL+Jinja (analyse_text method): Fix catastrophic backtracking (#​2355)

    • Terraform: Add hcl alias (#​2375)

  • Declare support for Python 3.11 and drop support for Python 3.6 (#​2324).

  • Update native style to improve contrast (#​2325).

  • Update `github-dark`` style to match latest Primer style (#​2401)

  • Revert a change that made guessing lexers based on file names slower
    on Python 3.10 and older (#​2328).

  • Fix some places where a locale-dependent encoding could unintentionally
    be used instead of UTF-8 (#​2326).

  • Fix Python traceback handling (#​2226, #​2329).

  • Groff formatter: sort color definitions for reproducibility (#​2343)

  • Move project metadata to pyproject.toml, remove setup.py
    and setup.cfg (#​2342)

  • The top-level Makefile has been removed. Instead, all shortcuts
    for developing are now defined and run through tox. The doc folder
    still contains a Makefile as an alternative to tox -e doc.

v2.14.0

Compare Source

(released January 1st, 2023)

  • Added lexers:

  • Updated lexers:

    • Abap: Update keywords (#​2281)

    • Alloy: Update for Alloy 6 (#​1963)

    • C family (C, C++ and many others):

      • Fix an issue where a chunk would be wrongly recognized as a function
        definition due to braces in comments (#​2210)
      • Improve parantheses handling for function definitions (#​2207, #​2208)

    • C#: Fix number and operator recognition (#​2256, #​2257)

    • CSound: Updated builtins (#​2268)

    • F#: Add .fsx file extension (#​2282)

    • gas (GNU assembler): recognize braces as punctuation (#​2230)

    • HTTP: Add CONNECT keyword (#​2242)

    • Inform 6: Fix lexing of properties and doubles (#​2214)

    • INI: Allow comments that are not their own line (#​2217, #​2161)

    • Java properties: Fix issue with whitespace-delimited keys, support
      comments starting with ! and escapes, no longer support undocumented
      ; and // comments (#​2241)

    • LilyPond: Improve heuristics, add \maxima duration (#​2283)

    • LLVM: Add opaque pointer type (#​2269)

    • Macaulay2: Update keywords (#​2305)

    • Minecraft-related lexers (SNB and Minecraft function) moved to
      pygments.lexers.minecraft (#​2276)

    • Nim: General improvements (#​1970)

    • Nix: Fix single quotes inside indented strings (#​2289)

    • Objective J: Fix catastrophic backtracking (#​2225)

    • NASM: Add support for SSE/AVX/AVX-512 registers as well as 'rel'
      and 'abs' address operators (#​2212)

    • Powershell:

    • Solidity: Add boolean operators (#​2292)

    • Spice: Add enum keyword and fix a bug regarding binary,
      hexadecimal and octal number tokens (#​2227)

    • YAML: Accept colons in key names (#​2277)

  • Fix make mapfiles when Pygments is not installed in editable mode
    (#​2223)

  • Support more filetypes and compression types in autopygmentize (#​2219)

  • Merge consecutive tokens in Autohotkey, Clay (#​2248)

  • Add .nasm as a recognized file type for NASM (#​2280)

  • Add *Spec.hs as a recognized file type for HSpec (#​2308)

  • Add *.pyi (for typing stub files) as a recognized file type for
    Python (#​2231)

  • The HTML lexer no longer emits empty spans for whitespace (#​2304)

  • Fix IRCFormatter inserting linenumbers incorrectly (#​2270)

v2.13.0

Compare Source

(released August 15th, 2022)

  • Added lexers:

  • Updated lexers:

    • Ada: support Ada 2022 (#​2121); disable recognition of namespaces
      because it disturbs lexing of aspects (#​2125)
    • Agda: allow straight quotes in module names (#​2163)
    • C family (C, C++ and many others): allow comments between
      elements of function headers, e.g. between the arguments and
      the opening brace for the body (#​1891)
    • C++: Resolve several cases of Error tokens (#​2207, #​2208)
    • Coq: Add some common keywords, improve recognition of Set
      and qualified identifiers (#​2158)
    • F*: Allow C-style comments anywhere in a line
    • Fortran: Fix catastrophic backtracking with backslashes in strings
      (#​2194)
    • Go: add support for generics (#​2167)
    • Inform: Update for version 6.40 (#​2190)
    • Isabelle: recognize cartouches (#​2089)
    • Java: support multiline strings aka. text blocks (#​2132)
    • Kotlin: Add value modifier (#​2142)
    • LilyPond: Add some missing builtins
    • Macaulay2: Update builtins (#​2139)
    • Matlab session: fix traceback when a line continuation ellipsis
      appears in the output (#​2166)
    • .NET: Add aliases for LibreOffice Basic, OpenOfficeBasic and
      StarOffice Basic (#​2170)
    • Nim: Use Name.Builtin instead of Keyword.Type (#​2136)
    • PHP: fix \"$var\" inside strings (#​2105)
    • Python: only recognize \N, \u and \U escape sequences
      in string literals, but not in bytes literals where they are
      not supported (#​2204)
    • Tcl: support ${name} variables (#​2145)
    • Terraform: Accept leading whitespace for << heredoc
      delimiters (#​2162)
    • Teraterm: Various improvements (#​2165)
    • Spice: add support for the recently added features including more
      builtin functions and bin, oct, hex number formats (#​2206)

  • Added styles:

  • Pygments now tries to use the importlib.metadata module to
    discover plugins instead of the slower pkg_resources (#​2155). In
    particular, this largely speeds up the pygmentize script when
    the lexer is not specified.

    importlib.metadata is only available in the Python standard
    library since Python 3.8. For older versions, there exists an
    importlib_metadata backport on PyPI. For this reason, Pygments
    now defines a packaging extra plugins, which adds a requirement
    on importlib_metadata if the Python version is older than
    3.8. Thus, in order to install Pygments with optimal plugin
    support even for old Python versions, you should do::

    pip install pygments[plugins]

    Pygments still falls back on pkg_resources if neither
    importlib.metadata nor importlib_metadata is found, but it
    will be slower.

  • Silently ignore BrokenPipeError in the command-line interface
    (#​2193).

  • The HtmlFormatter now uses the linespans attribute for
    anchorlinenos if the lineanchors attribute is unset (#​2026).

  • The highlight, lex and format functions no longer
    wrongly report "argument must be a lexer/formatter instance, not a
    class" in some cases where this is not the actual problem (#​2123).

  • Fix warnings in doc build (#​2124).

  • The codetagify filter now recognizes FIXME tags by default (#​2150).

  • The pygmentize command now recognizes if the COLORTERM
    environment variable is set to a value indicating that true-color
    support is available. In that case, it uses the TerminalTrueColorFormatter
    by default (#​2160)

  • Remove redundant caches for filename patterns (#​2153)

  • Use new non-deprecated Pillow API for text bounding box in ImageFormatter
    (#​2198)

  • Remove default_style (#​930, #​2183)

  • Stop treating DeprecationWarnings as errors in the unit tests (#​2196)

v2.12.0

Compare Source

(released April 24th, 2022)

  • Added lexers:

  • Updated lexers:

    • Agda: Update keyword list (#​2017)

    • C family: Fix identifiers after case statements (#​2084)

    • Clojure: Highlight ratios (#​2042)

    • Csound: Update to 6.17 (#​2064)

    • CSS: Update the list of properties (#​2113)

    • Elpi:

    • Futhark: Add missing tokens (#​2118)

    • Gherkin: Add But (#​2046)

    • Inform6: Update to 6.36 (#​2050)

    • Jinja2: add .xxx.j2 and .xxx.jinja2 to relevant lexers
      (for xxx = html, xml, etc.) (#​2103)

    • JSON: Support C comments in JSON (#​2049). Note: This doesn't mean the JSON parser now supports JSONC or JSON5 proper, just that it doesn't error out when seeing a /* */ or // style comment. If you need proper comment handling, consider using the JavaScript lexer.

    • LilyPond:

      • Fix incorrect lexing of names containing a built-in (#​2071)
      • Fix properties containing dashes (#​2099)

    • PHP: Update builtin function and keyword list (#​2054, #​2056)

    • Python: highlight EncodingWarning (#​2106)

    • Savi: fix highlighting for underscore/private identifiers,
      add string interpolation (#​2102); fix nested type name highlighting
      (#​2110)

    • Scheme: Various improvements (#​2060)

    • Spice: Update the keyword list, add new types (#​2063, #​2067)

    • Terraform:

  • Add plugins argument to get_all_lexers().

  • Bump minimal Python version to 3.6 (#​2059)

  • Fix multiple lexers marking whitespace as Text (#​2025)

  • Remove various redundant uses of re.UNICODE (#​2058)

  • Associate .resource with the Robot framework (#​2047)

  • Associate .cljc with Clojure (#​2043)

  • Associate .tpp with C++ (#​2031)

  • Remove traces of Python 2 from the documentation (#​2039)

  • The native style was updated to meet the WCAG AAA contrast guidelines (#​2038)

  • Fix various typos (#​2030)

  • Fix Groff formatter not inheriting token styles correctly (#​2024)

  • Various improvements to the CI (#​2036)

  • The Ada lexer has been moved to a separate file (#​2117)

  • When linenos=table is used, the <table> itself is now wrapped with a <div class="highlight"> tag instead of placing it inside the <td class="code"> cell (#​632.) With this change, the output matches the documented behavior.

.. note::

If you have subclassed HtmlFormatter.wrap, you may have to adjust the logic.

v2.11.2

Compare Source

(released January 6th, 2022)

  • Updated lexers:

  • Fix links to line numbers not working correctly (#​2014)

  • Remove underline from Whitespace style in the Tango theme (#​2020)

  • Fix IRC and Terminal256 formatters not backtracking correctly for custom token types, resulting in some unstyled tokens (#​1986)

v2.11.1

Compare Source

(released December 31st, 2021)

  • Updated lexers:

    • C-family: Handle return types with multiple tokens (e.g. unsigned int) (#​2008)
    • JSON: Fix a regression which caused whitespace before : to result in Error tokens (#​2010)
    • SPICE: Various improvements (#​2009)

v2.11.0

Compare Source

(released December 30th, 2021)

.. note::

All of the new styles unfortunately do not conform to WCAG recommendations.

  • There is new infrastructure in place to improve style accessibility. The default style has been updated to conform to WCAG recommendations. All styles are now checked for sufficient contrast by default to prevent regressions. (#​1919, #​1937, #​1938, #​1940)
  • Clean up unused imports (#​1887)
  • Fix multiple lexers producing repeated single-character tokens
  • Fix multiple lexers marking whitespace as Text (#​1237, #​1905, #​1908, #​1914, #​1911, #​1923, #​1939, #​1957, #​1978)
  • Remove duplicated assignments in the Paraiso style (#​1934)
  • pygmentize supports JSON output for the various list functions now, making it easier to consume them from scripts. (#​1437, #​1890)
  • Use the shell lexer for kshrc files (#​1947)
  • Use the ruby lexer for Vagrantfile files (#​1936)
  • Use the C lexer for .xbm and .xpm files (#​1802)
  • Add a groff formatter (#​1873)
  • Update documentation (#​1928)
  • Line anchors now link to themselves (#​1973)
  • Add official support for Python 3.10 (#​1917)
  • Fix several missing colors in dark styles: Gruvbox dark, Monokai, Rrt, Sas, Strata dark (#​1955)
  • Associate more file types with man pages
  • The HtmlFormatter can now emit tooltips for each token to ease debugging of lexers (#​1822)
  • Add f90 as an alias for fortran (#​2000)

v2.10.0

Compare Source

(released August 15th, 2021)

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants