chore(deps): update dependency markdown to v3.8.1 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
Markdown (changelog)	==3.7 → ==3.8.1

---

Python-Markdown has an Uncaught Exception

CVE-2025-69534 / GHSA-5wmx-573v-2qwq

More information

Details

Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.

Severity

• CVSS Score: 5.5 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-69534
• https://github.com/Python-Markdown/markdown/issues/1534
• https://github.com/Python-Markdown/markdown
• https://github.com/Python-Markdown/markdown/actions/runs/15736122892
• https://github.com/Python-Markdown/markdown/pull/1535
• http://www.openwall.com/lists/oss-security/2026/03/06/4
• https://github.com/advisories/GHSA-5wmx-573v-2qwq

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

Python-Markdown/markdown (Markdown)

v3.8.1

Compare Source

Fixed

• Ensure incomplete markup declaration in raw HTML doesn't crash parser (#​1534).
• Fixed dropped content in md_in_html (#​1526).
• Fixed HTML handling corner case that prevented some content from not being rendered (#​1528).

v3.8

Compare Source

Changed

• DRY fix in abbr extension by introducing method create_element (#​1483).
• Clean up test directory by removing some redundant tests and port
  non-redundant cases to the newer test framework.
• Improved performance of the raw HTML post-processor (#​1510).

Fixed

• Backslash Unescape IDs set via attr_list on toc (#​1493).
• Ensure md_in_html processes content inside "markdown" blocks as they are
  parsed outside of "markdown" blocks to keep things more consistent for
  third-party extensions (#​1503).
• md_in_html handle tags within inline code blocks better (#​1075).
• md_in_html fix handling of one-liner block HTML handling (#​1074).
• Ensure <center> is treated like a block-level element (#​1481).
• Ensure that abbr extension respects AtomicString and does not process
  perceived abbreviations in these strings (#​1512).
• Ensure smarty extension correctly renders nested closing quotes (#​1514).

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[gemini-code-assist]

Code Review

This pull request updates the Markdown package dependency in requirements.txt from version 3.7 to 3.8.1. There are no review comments, and I have no feedback to provide.