fix(deps): update dependency markdown-it to v14 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
markdown-it	^13.0.0 → ^14.0.0

GitHub Vulnerability Alerts

CVE-2026-2327

Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character, which triggers excessive backtracking and may lead to a denial-of-service condition.

---

Release Notes

markdown-it/markdown-it (markdown-it)

v14.1.1

Compare Source

Security

• Fixed regression from v13 in linkify inline rule. Specific patterns could
  cause high CPU use. Thanks to @​ltduc147 for report.

v14.1.0

Compare Source

Changed

• Updated CM spec compatibility to 0.31.2, #​1009.

Fixed

• Fixed quadratic complexity when parsing references, #​996.
• Fixed quadratic output size with pathological user input in tables, #​1000.

v14.0.0

Compare Source

Changed

• Drop ancient browsers support (use .fromCodePoint and other features).
• Rewrite to ESM (including all plugins/deps). CJS fallback still available.
  No signatures changed, except markdown-it-emoji plugin.
• Dropped dist/ folder from repo, build on package publish.
• Set punicode.js as external dependency.

Fixed

• Html tokens inside img alt are now rendered as their original text, #​896.
• Hardbreaks inside img alt are now rendered as newlines.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.