fix: bump mdast-util-to-hast to ^13.2.1 (CVE-2025-66400)

[rfoel]

Initial checklist

• I read the support docs
• I read the contributing guide
• I agree to follow the code of conduct
• I searched issues and discussions and couldn’t find anything or linked relevant results below
• I made sure the docs are up to date
• I included tests (or that’s not needed)

Description of changes

Bumps mdast-util-to-hast minimum version from ^13.0.0 to ^13.2.1 to fix CVE-2025-66400.

CVE-2025-66400 — versions 13.0.0–13.2.0 allow injection of arbitrary class names via character-encoded whitespace in the markdown code block lang attribute, which could make elements appear to belong to other CSS classes and enable XSS. Fixed in 13.2.1.

Motivation

I use Yarn Berry with nodeLinker: pnp and strict package resolution (strictPeerDependencies). In this setup, the ^ semver range is not sufficient — Yarn Berry resolves and locks the exact version from the range at install time, and if the lockfile was generated before 13.2.1 was published it will keep resolving to a vulnerable version. Tightening the minimum version in package.json ensures Yarn Berry won't resolve to a vulnerable release.

References

• Advisory: GHSA-4fh9-h7wg-q85m
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66400

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (b4799b5) to head (11b404e).
⚠️ Report is 20 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##              main       #41   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            2         2           
  Lines          163       185   +22     
=========================================
+ Hits           163       185   +22     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ChristianMurphy]

This isn't needed, the fix is already in range.
You can use npm update mdast-util-to-hast to do a targeted update in your package-lock.json, or deleted your node_modules/ folder and package-lock.json file and run npm install to get fresh updates across the board.

Yarn Berry resolves and locks the exact version from the range at install time, and if the lockfile was generated before 13.2.1 was published it will keep resolving to a vulnerable version

That is a security risk in Yarn Berry, they should fix that.
Downstream packages are not responsible for their poor choices

[github-actions]

Hi! This was closed. Team: If this was merged, please describe when this is likely to be released. Otherwise, please add one of the no/* labels.

[JounQin]

There is also yarn up command similarly.