fix(deps): update dependency katex to v0.16.21 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
katex (source)	dependencies	patch	0.16.20 -> 0.16.21

GitHub Vulnerability Alerts

CVE-2025-23207

Impact

KaTeX users who render untrusted mathematical expressions with renderToString could encounter malicious input using \htmlData that runs arbitrary JavaScript, or generate invalid HTML.

Patches

Upgrade to KaTeX v0.16.21 to remove this vulnerability.

Workarounds

• Avoid use of or turn off the trust option, or set it to forbid \htmlData commands.
• Forbid inputs containing the substring "\\htmlData".
• Sanitize HTML output from KaTeX.

Details

\htmlData did not validate its attribute name argument, allowing it to generate invalid or malicious HTML that runs scripts.

For more information

If you have any questions or comments about this advisory:

• Open an issue or security advisory in the KaTeX repository
• Email us at [email protected]

---

Release Notes

KaTeX/KaTeX (katex)

v0.16.21

Compare Source

Bug Fixes

• escape \htmlData attribute name (57914ad)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - "* 0-3 * * 1" (UTC).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

Summary by Sourcery

Bug Fixes:

• Fix a vulnerability in KaTeX where untrusted mathematical expressions rendered with renderToString could execute arbitrary JavaScript or generate invalid HTML via malicious use of \htmlData.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
blog	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jan 17, 2025 10:00pm
cv	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jan 17, 2025 10:00pm
insights	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jan 17, 2025 10:00pm

[sourcery-ai]

Reviewer's Guide by Sourcery

This pull request updates the katex dependency from version 0.16.20 to 0.16.21 to address a security vulnerability. The vulnerability allows malicious input using \htmlData to run arbitrary JavaScript or generate invalid HTML. The update includes a fix that escapes the \htmlData attribute name.

No diagrams generated as the changes look simple and do not need a visual representation.

File-Level Changes

Change	Details	Files
Updated the katex dependency to address a security vulnerability.	Updated katex from 0.16.20 to 0.16.21.	yarn.lock

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time. You can also use
  this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

We have skipped reviewing this pull request. It seems to have been created by a bot (hey, renovate[bot]!). We assume it knows what it's doing!