chore: upgrade markdown-it to ^14.2.0 to address CVE-2026-48988

[brendan-kellam]

Fixes SOU-1347

Refreshes markdown-it to 14.2.0 to address CVE-2026-48988 (quadratic-complexity DoS in the smartquotes rule). markdown-it is a transitive dependency (via codemirror-json-schema and @shikijs/markdown-it); the existing ^14.1.x ranges already admitted 14.2.0, so this is a lockfile-only refresh (yarn up -R markdown-it) with no package.json change.

yarn why markdown-it --recursive confirms all instances now resolve to 14.2.0.

Summary by CodeRabbit

• Bug Fixes
  • Updated a core dependency to a newer version for improved stability and compatibility.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 521ba044-8842-4b9e-bf1e-64c5d1694331

📥 Commits

Reviewing files that changed from the base of the PR and between 804b065 and d1ec7bc.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• CHANGELOG.md

---

Walkthrough

The CHANGELOG.md file gains one line: a Fixed bullet in the [Unreleased] section recording the markdown-it dependency upgrade to ^14.2.0.

Changes

Changelog Update

Layer / File(s)	Summary
Unreleased Fixed entry CHANGELOG.md	Adds a bullet noting the markdown-it bump to ^14.2.0 under the [Unreleased] Fixed section.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~1 minute

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch linear/sou-1347-sourcebot-devsourcebot-cve-2026-48988-markdown-it-9731

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch linear/sou-1347-sourcebot-devsourcebot-cve-2026-48988-markdown-it-9731

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

License Audit

⚠️ Status: PASS

Metric	Count
Total packages	2137
Resolved (non-standard)	11
Unresolved	0
Strong copyleft	0
Weak copyleft	38

Weak Copyleft Packages (informational)

Package	Version	License
@img/sharp-libvips-darwin-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.0.5	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-ppc64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-riscv64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-wasm32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-wasm32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-win32-arm64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
axe-core	4.10.3	MPL-2.0
lightningcss	1.32.0	MPL-2.0
lightningcss-android-arm64	1.32.0	MPL-2.0
lightningcss-darwin-arm64	1.32.0	MPL-2.0
lightningcss-darwin-x64	1.32.0	MPL-2.0
lightningcss-freebsd-x64	1.32.0	MPL-2.0
lightningcss-linux-arm-gnueabihf	1.32.0	MPL-2.0
lightningcss-linux-arm64-gnu	1.32.0	MPL-2.0
lightningcss-linux-arm64-musl	1.32.0	MPL-2.0
lightningcss-linux-x64-gnu	1.32.0	MPL-2.0
lightningcss-linux-x64-musl	1.32.0	MPL-2.0
lightningcss-win32-arm64-msvc	1.32.0	MPL-2.0
lightningcss-win32-x64-msvc	1.32.0	MPL-2.0

Resolved Packages (11)

Package	Version	Original	Resolved	Source
@react-grab/cli	0.1.23	UNKNOWN	MIT	LICENSE file in installed package ("MIT License" header; npm page returned HTTP 403)
@react-grab/cli	0.1.29	UNKNOWN	MIT	LICENSE file in installed package ("MIT License" header; npm page returned HTTP 403)
@react-grab/mcp	0.1.29	UNKNOWN	MIT	LICENSE file in installed package ("MIT License" header; npm page returned HTTP 403)
codemirror-lang-elixir	4.0.0	UNKNOWN	Apache-2.0	LICENSE file in installed package (Apache License 2.0 full text)
element-source	0.0.3	UNKNOWN	MIT	LICENSE file in installed package ("MIT License" header)
lezer-elixir	1.1.2	UNKNOWN	Apache-2.0	LICENSE file in installed package (Apache License 2.0 full text)
map-stream	0.1.0	UNKNOWN	MIT	LICENCE file in installed package (verbatim MIT permission text)
memorystream	0.3.1	UNKNOWN	MIT	extracted from package.json licenses[].type = "MIT", confirmed by LICENSE file (MIT text)
pause-stream	0.0.11	MIT,Apache2	(MIT OR Apache-2.0)	extracted from object/array license field, confirmed by LICENSE file ("Dual Licensed MIT and Apache 2")
posthog-js	1.369.0	SEE LICENSE IN LICENSE	Apache-2.0	LICENSE file in installed package (Apache License 2.0 full text)
valid-url	1.0.9	UNKNOWN	MIT	LICENSE file in installed package (verbatim MIT permission text)