fix(node-turndown): CVE-2025-9670

debian/changelog

@@ -1,3 +1,9 @@
+node-turndown (7.1.1-3deepin1) unstable; urgency=medium
+
+  * Fix CVE-2025-9670: ReDoS vulnerability via regexp bottleneck
+
+ -- deepin-ci-robot <[email protected]>  Thu, 30 Apr 2026 10:13:11 +0800
+
 node-turndown (7.1.1-3) unstable; urgency=medium
 
   * Team upload

debian/patches/cve_2025_9670.patch

@@ -0,0 +1,66 @@
+Description: Fix CVE-2025-9670: ReDoS vulnerability via regexp bottleneck
+ Replace regexp trailing space removal with more optimized method to avoid
+ regex performance issues.
+Author: Martin Čížek <[email protected]>
+Origin: upstream, https://github.com/mixmark-io/turndown/commit/8ed049935ac235cc009e9a7412c0a6fe6ab5b223
+Bug: https://security-tracker.debian.org/tracker/CVE-2025-9670
+Forwarded: not-needed
+Index: github-node-turndown-CVE-2025-9670/src/commonmark-rules.js
+===================================================================
+--- github-node-turndown-CVE-2025-9670.orig/src/commonmark-rules.js
++++ github-node-turndown-CVE-2025-9670/src/commonmark-rules.js
+@@ -1,4 +1,4 @@
+-import { repeat } from './utilities'
++import { repeat, trimNewlines } from './utilities'
+
+ var rules = {}
+
+@@ -39,8 +39,7 @@ rules.blockquote = {
+   filter: 'blockquote',
+
+   replacement: function (content) {
+-    content = content.replace(/^\n+|\n+$/g, '')
+-    content = content.replace(/^/gm, '> ')
++    content = trimNewlines(content).replace(/^/gm, "> ")
+     return '\n\n' + content + '\n\n'
+   }
+ }
+@@ -62,10 +61,6 @@ rules.listItem = {
+   filter: 'li',
+
+   replacement: function (content, node, options) {
+-    content = content
+-      .replace(/^\n+/, '') // remove leading newlines
+-      .replace(/\n+$/, '\n') // replace trailing newlines with just a single one
+-      .replace(/\n/gm, '\n    ') // indent
+     var prefix = options.bulletListMarker + '   '
+     var parent = node.parentNode
+     if (parent.nodeName === 'OL') {
+@@ -73,8 +68,11 @@ rules.listItem = {
+       var index = Array.prototype.indexOf.call(parent.children, node)
+       prefix = (start ? Number(start) + index : index + 1) + '.  '
+     }
++    var isParagraph = /\n$/.test(content)
++    content = trimNewlines(content) + (isParagraph ? '\n' : '')
++    content = content.replace(/\n/gm, '\n' + ' '.repeat(prefix.length)) // indent
+     return (
+-      prefix + content + (node.nextSibling && !/\n$/.test(content) ? '\n' : '')
++      prefix + content + (node.nextSibling ? '\n' : '')
+     )
+   }
+ }
+Index: github-node-turndown-CVE-2025-9670/src/utilities.js
+===================================================================
+--- github-node-turndown-CVE-2025-9670.orig/src/utilities.js
++++ github-node-turndown-CVE-2025-9670/src/utilities.js
+@@ -23,6 +23,10 @@ export function trimTrailingNewlines (st
+   return string.substring(0, indexEnd)
+ }
+
++export function trimNewlines (string) {
++  return trimTrailingNewlines(trimLeadingNewlines(string))
++}
++
+ export var blockElements = [
+   'ADDRESS', 'ARTICLE', 'ASIDE', 'AUDIO', 'BLOCKQUOTE', 'BODY', 'CANVAS',
+   'CENTER', 'DD', 'DIR', 'DIV', 'DL', 'DT', 'FIELDSET', 'FIGCAPTION', 'FIGURE',

debian/patches/series

@@ -1,2 +1,3 @@
 ship_typescript_definitions.patch
 fix-for-rollup-3.patch
+cve_2025_9670.patch