Update dependency marked to v17 - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
marked (source)	^12.0.0 → ^17.0.0

---

Release Notes

markedjs/marked (marked)

v17.0.6

Compare Source

Bug Fixes

• avoid race condition in async parallel parse/parseInline with hooks (#​3924) (6e96fa7)
• cli: honor positional input file (#​3922) (a1c2617)
• cli: use file URL for config import (#​3923) (73e1f3f)

v17.0.5

Compare Source

Bug Fixes

• Fix catastrophic backtracking (ReDoS) in link/reflink label regex (#​3918) (4625980)
• prevent quadratic complexity in emStrongLDelim regex (#​3906) (c732dd2)
• prevent single-tilde strikethrough false positives (#​3910) (5e03369)
• re-assign tokenizer.lexer and renderer.parser at start of each parse call (#​3907) (f3a3ec0)
• trim trailing whitespace from lheading text (#​3920) (3ea7e88)

v17.0.4

Compare Source

Bug Fixes

• prevent ReDoS in inline link regex title group (#​3902) (46fb9b8)

v17.0.3

Compare Source

Bug Fixes

• escape image alt text (#​3896) (909fe44)

v17.0.2

Compare Source

v17.0.1

Compare Source

Bug Fixes

• fix block elements in task item (#​3828) (921ee22)

v17.0.0

Compare Source

Bug Fixes

• only create tokens inside tokenizers (#​3755) (7b19231)

BREAKING CHANGES

• Change how consecutive text tokens work in lists
• Simplify listItem renderer
• Checkbox token is added in list tokenizer
• Checkbox token add type and raw property
• Change loose list text tokens to paragraph type in the list tokenizer

v16.4.2

Compare Source

v16.4.1

Compare Source

Bug Fixes

• resolve even-numbered backtick precedence issue (#​3776) (#​3786) (1da8fb5)

v16.4.0

Compare Source

Bug Fixes

• Fix backtick and code rendering in links (#​3783) (302ee59)
• fix links with square brackets in inline code break wrapping italics (#​3785) (e3c0d3e)
• Make www case-sensitive when detecting link starts (#​3770) (626d961)

Features

• Add async provideParser provideLexer (#​3756) (09577e5)

v16.3.0

Compare Source

Features

• add emStrongMask hook (#​3749) (cd2b5f4)

v16.2.1

Compare Source

Bug Fixes

• allow escaped newline in link text (#​3752) (30c6630)

v16.2.0

Compare Source

Features

• add def token in tokens and renderer (#​3745) (0769124)

v16.1.2

Compare Source

Bug Fixes

• fix multiline list item adds extra newline to raw (#​3735) (e76453e)

v16.1.1

Compare Source

Bug Fixes

• fix stong and em tokens in angle brackets (#​3731) (ad8535c)

v16.1.0

Compare Source

Features

• add generic types for parser and renderer output (#​3722) (39a0ee3)

v16.0.0

Compare Source

Bug Fixes

• remove cjs build & update min node to 20 (#​3687) (0a35d8f)

BREAKING CHANGES

• minify ./lib/marked.esm.js and ./lib/marked.umd.js

• remove ./marked.min.js use ./lib/marked.umd.js instead

• remove ./lib/marked.cjs

• update minimum supported node version to 20 to support require('marked.esm.js'). see https://nodejs.org/docs/latest-v20.x/api/modules.html#loading-ecmascript-modules-using-require

• This seems to break Jest since it doesn't work with esm by default.

  You need to transform marked with:

  transformIgnorePatterns: ['/node_modules/(?!(marked)/)'],
  

  see Jest docs for more info

v15.0.12

Compare Source

Bug Fixes

• use esbuild for accurate sourcemaps (#​3670) (7a6b2d7)

v15.0.11

Compare Source

Bug Fixes

• fix image alt text rendered to match common mark (#​3668) (2c0e47a)

v15.0.10

Compare Source

Bug Fixes

• fix non-breaking space in link url (#​3667) (e071e25)

v15.0.9

Compare Source

Bug Fixes

• fix link url with no closing parenthesis (#​3664) (72b6373)

v15.0.8

Compare Source

Bug Fixes

• fix emstrong inside escaped backticks (#​3652) (721dc58)

v15.0.7

Compare Source

Bug Fixes

• fix table rendered as heading (#​3612) (9ae87de)

v15.0.6

Compare Source

Bug Fixes

• fix strikethrough inside strong and em to follow gfm (#​3577) (7712a53)

v15.0.5

Compare Source

Bug Fixes

• allow strikethrough inside strong and em to follow gfm (#​3569) (8a01658)

v15.0.4

Compare Source

Bug Fixes

• fix list with no items looping forever (#​3560) (e4198ed)

v15.0.3

Compare Source

Bug Fixes

• update punctuation regex syntax to fix babel mistaken transpile (#​3547) (9b988c4)

v15.0.2

Compare Source

Bug Fixes

• update punctuation regex syntax for compatibility (#​3540) (fd015f1)

v15.0.1

Compare Source

Bug Fixes

• Remove unused plus typescript tightening (#​3527) (1f579f7)

v15.0.0

Compare Source

Bug Fixes

• escape html in renderer (#​3495) (58d66e5)
• Move all regexps to rules (#​3519) (1f88deb)

BREAKING CHANGES

• escape html in renderers instead of tokenizers for all tokens.

v14.1.4

Compare Source

Bug Fixes

• fix del with escaped tilde (#​3517) (0afe87d)
• fix html comment after list (#​3518) (a612576)

v14.1.3

Compare Source

Bug Fixes

• include single nested parens in emStrong link mask (#​3475) (2b7efa8)
• kill SIGINT signal at man for marked --help (#​3483) (b1fd3ea)

v14.1.2

Compare Source

Bug Fixes

• fix html following list (#​3444) (9d7b728)

v14.1.1

Compare Source

Bug Fixes

• Don't replace tabs with spaces (#​3438) (9ed6456)

v14.1.0

Compare Source

Bug Fixes

• don't export block or inline (#​3427) (3f0430a)

Features

• add provideLexer and provideParser hooks (#​3424) (447f5af)

v14.0.0

Compare Source

Bug Fixes

• allow async option to dictate type returned (#​3341) (b5a5004)
• Remove useNewRenderer (#​3342) (e64f226)

BREAKING CHANGES

• Remove old renderer
• throw an error if async: false is set when an extension sets async: true

v13.0.3

Compare Source

Bug Fixes

• fix recursion-like stack overflow error caused by the old render… (#​3380) (89af0b8)

v13.0.2

Compare Source

Bug Fixes

• fix list item with blank first line (#​3351) (d28e4c6)

v13.0.1

Compare Source

Bug Fixes

• fix this type in extension methods (#​3339) (520b9ad)

v13.0.0

Compare Source

Bug Fixes

• Fix blockquote code continuation (#​3264) (7ab8185)
• Add parser as a property on the Renderer object (#​3291)
• Send block text tokens to the text renderer (#​3291)

Features

• Send token objects to renderers (#​3291) (1ce59ea)
• Add space renderer that returns empty string by default (#​3291)
• Add header and align properties to TableCell token (#​3291)
• Add TableRow token (#​3291)
• Add Checkbox token (#​3291)

BREAKING CHANGES

• Add space token after blockquote and hr if there are multiple newlines
• Send token objects to renderers and move logic to parse tokens from the parser to the renderers.

  • Most extensions that update marked renderers should still work with this version but will break in a future major version.

  • Extensions that change marked renderers will need to be updated and use new option useNewRenderer and accept a token object instead of multiple parameters. See updated Renderer docs

    // v12 renderer extension
    
    const extension = {
      renderer: {
        heading(text, level) {
          // increase level by 1
          return `<h${level + 1}>${text}</h${level + 1}>`;
        }
      }
    };
    
    marked.use(extension);

    // v13 renderer extension
    
    const extension = {
      useNewRenderer: true,
      renderer: {
        heading(token) {
          // increase depth by 1
          const text = this.parser.parseInline(token.tokens);
          const level = token.depth;
          return `<h${level + 1}>${text}</h${level + 1}>`;
        }
      }
    };
    
    marked.use(extension);

---

Configuration

📅 Schedule: Branch creation - "every weekend" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[claude]

Pull Request Review: Update dependency marked to v17

Summary

This PR updates the marked markdown parser from v12.0.0 to v17.0.0, a major version jump spanning 5 major versions.

---

Critical Breaking Changes Analysis

v16.0.0 Breaking Changes:

• Removed CommonJS build - only ESM is provided now
• Minimum Node.js version raised to 20
• Removed ./marked.min.js - must use ./lib/marked.umd.js instead

v15.0.0 Breaking Changes:

• HTML escaping moved from tokenizers to renderers - could affect output

v14.0.0 & v13.0.0 Breaking Changes:

• Removed old renderer (useNewRenderer option)
• Renderer API changed to use token objects

---

Code Impact Assessment

Current Usage (calendar.astro:7-15, 99):

Analysis:

• ✅ Import style is compatible (using named ESM import)
• ✅ API usage appears compatible (marked.parse() still supported)
• ✅ Options used are standard (breaks and gfm are core)
• ⚠️ HTML escaping behavior may change due to v15 changes

---

CRITICAL ISSUE: Node.js Version Mismatch

The CI/CD workflow uses Node.js 18, but marked v16+ requires Node.js 20+.

Required Action: Update .github/workflows/azure-static-web-apps-ashy-field-00e5f470f.yml line 29 to use Node.js 20 or higher.

---

Potential Issues

1. HTML Escaping Changes (v15):

   • Event descriptions with HTML entities may render differently
   • Complex regex preprocessing in formatDescription() may interact differently
   • Risk Level: Medium - needs testing

2. Node.js Version Mismatch:

   • Risk Level: HIGH - build will likely fail
   • Action Required: Update CI workflow first

3. Missing Test Coverage:

   • No automated tests for markdown rendering
   • Cannot verify behavior changes automatically

---

Testing Recommendations

Manual testing is critical since there are no automated tests:

1. Test event descriptions with various markdown patterns
2. Test preprocessed markdown patterns (lines 76-96 in calendar.astro)
3. Verify build process completes successfully
4. Compare bundle size before/after

---

Security Considerations

• ✅ Dependency from official source (Renovate bot)
• ✅ Multiple patch releases likely include security fixes
• ✅ No direct user input - only processing event descriptions from JSON
• Recommendation: Review security advisories for marked v12-v17

---

Recommendations Before Merging

1. Update CI/CD workflow to Node.js 20+ (REQUIRED)
2. Test locally with Node 20
3. Verify calendar page rendering
4. Consider adding automated tests
5. Add Node.js engine requirement to package.json

---

Summary

Merge Decision: ⚠️ BLOCK - Prerequisites Required

This is a legitimate dependency update and upgrading to v17 is recommended for security and bug fixes. However, the Node.js version incompatibility must be resolved first.

Critical Action: Update GitHub Actions workflow to use Node.js 20 before merging.

Once Node.js is updated and testing is complete, this PR can be safely merged.

---

Review generated by Claude Code following repository CLAUDE.md guidelines

[claude]

Pull Request Review: Update dependency marked to v17

Overview

This PR updates the marked library from v12 to v17, which is a major version jump spanning 5 major versions (v12 → v17). This requires careful review as it includes several breaking changes.

---

Critical Concerns

1. Breaking Changes - High Priority

The upgrade jumps through multiple breaking changes:

• v16.0.0: Removed CommonJS build, minimum Node.js version now 20, removed marked.min.js
• v15.0.0: Changed HTML escaping behavior - now escapes in renderers instead of tokenizers for all tokens
• v14.0.0: Removed useNewRenderer option and old renderer
• v13.0.0: Major renderer API changes - renderers now receive token objects instead of multiple parameters

Impact on this codebase:

• Current usage in src/pages/calendar.astro:7-15 uses marked.setOptions() and marked.parse()
• The code appears to use the synchronous API without custom renderers, so renderer breaking changes may not directly affect it
• However, the HTML escaping changes in v15 could affect output, especially given the complex markdown preprocessing in formatDescription() function (lines 71-117)

2. Node.js Version Requirement

v16 requires Node.js 20+. This should be verified:

# Verify Node version in:
# - .nvmrc or .node-version file
# - package.json engines field
# - GitHub Actions workflows
# - Any Docker/deployment configurations

3. Testing Gap - Critical

• No automated tests found for the markdown rendering functionality
• The formatDescription() function (calendar.astro:71-117) has extensive preprocessing logic with 13+ regex replacements
• Without tests, it's impossible to verify that the HTML escaping changes in v15 don't break the careful URL and markdown fixing logic

---

Code Quality Assessment

Current marked usage (calendar.astro:7-15):

import { marked } from 'marked';

marked.setOptions({
  breaks: true, // Convert \n to <br>
  gfm: true     // Enable GitHub Flavored Markdown
});

Good practices:

• Simple configuration using documented options
• Proper error handling in formatDescription() with try-catch and fallback

Concerns:

• Complex preprocessing suggests potential markdown issues that may interact with v15's escaping changes
• The code manually handles URL fixing, which might conflict with marked's updated handling

---

Security Review

Positive:

• HTML is properly sanitized through marked's parsing
• Using set:html in Astro (line 188, 255) is appropriate for marked output

Concerns:

• v15's escaping changes could introduce double-escaping issues if the preprocessing logic isn't compatible
• The extensive regex preprocessing (lines 76-96) could potentially create security issues if v15 escapes differently
• Recommendation: Manually test with various markdown inputs, especially:
  • Malformed links
  • HTML entities
  • Special characters in URLs
  • Mixed markdown/HTML content

---

Performance Considerations

• The upgrade includes various bug fixes and optimizations
• v17 uses ES modules only, which should work fine with Astro's build process
• No significant performance regressions noted in release notes

---

Recommendations

Before Merging:

1. Verify Node.js version compatibility across all environments
2. Manual testing required - Test the calendar page with:
   • Events with complex markdown descriptions
   • URLs with special characters
   • HTML entities
   • Mixed formatting (bold, italic, links, lists)
3. Add regression tests (even basic smoke tests) for markdown rendering
4. Check build output - Run npm run build and verify no errors
5. Review v15 escaping changes - Ensure the preprocessing logic is still needed

Test Commands:

# Install dependencies
npm install

# Validate data files
npm run validate

# Test build
npm run build

# Preview locally
npm run preview
# Then manually test /calendar page

Suggested Test Cases:

• Event with markdown link: [Click here](https://example.com)
• Event with URL containing backslashes (line 78 handles this)
• Event with malformed links (lines 79-96 handle various cases)
• Event with HTML entities like & or <

---

Missing Elements

• No changelog review in PR description
• No test coverage for critical markdown rendering
• No mention of Node.js version verification
• No migration guide reference from marked documentation

---

Verdict

⚠️ REQUIRES MANUAL TESTING BEFORE MERGE

While the code changes are minimal (just version bumps), the 5 major version jump with significant breaking changes around HTML escaping and renderer behavior requires thorough testing, especially given:

1. No automated test coverage
2. Complex markdown preprocessing logic
3. Security-sensitive HTML rendering
4. Node.js version requirement changes

Suggested approach:

1. Test locally with real event data
2. Verify Node.js 20+ in all environments
3. Consider adding basic smoke tests for markdown rendering
4. If all tests pass, merge with monitoring

---

References:

• marked v16 breaking changes
• marked v15 HTML escaping changes
• marked v13 renderer changes

[claude]

Pull Request Review: Update dependency marked to v17

Thank you for this dependency update! I've reviewed the changes and have the following feedback:

🔴 Critical Issues

1. Node.js Version Incompatibility

The PR upgrades marked from v12 to v17, which includes a breaking change requiring Node.js 20+. Your CI/CD pipeline currently uses Node.js 18:

• File: .github/workflows/azure-static-web-apps-ashy-field-00e5f470f.yml:29
• Current: node-version: '18'
• Required: Node.js 20+

According to the v16.0.0 release notes:

"update minimum supported node version to 20"

Action Required: Update all GitHub Actions workflows to use Node.js 20 before merging this PR.

---

⚠️ Breaking Changes to Review

2. CommonJS Build Removed (v16.0.0)

The marked package no longer provides a CommonJS build:

• ❌ Removed: ./lib/marked.cjs
• ✅ Use instead: ./lib/marked.esm.js

Impact: Your code uses ES module imports (import { marked } from 'marked'), so this should be fine. However, verify that your build process doesn't rely on CJS modules.

3. HTML Escaping Behavior Changed (v15.0.0)

"escape html in renderers instead of tokenizers for all tokens"

Impact: The timing of HTML escaping has changed. Review the formatDescription function in src/pages/calendar.astro:71-117 to ensure it still produces safe output.

4. Renderer Interface Changes (v13.0.0)

The renderer now receives token objects instead of individual parameters. Your code uses the default renderer via marked.parse(), so this shouldn't affect you directly unless you plan to customize rendering in the future.

---

✅ Positive Observations

1. Good use of options: The code correctly uses marked.setOptions() with appropriate GFM settings
2. Error handling: Proper try-catch around marked.parse() with fallback logic
3. Type safety: TypeScript types are being used for calendar events

---

📋 Testing Recommendations

Since there are no automated tests for the markdown parsing functionality:

1. Manual testing required for the calendar page after upgrade:

   • Verify event descriptions with various markdown formats render correctly
   • Test edge cases: links, escaped characters, code blocks, lists
   • Check for any HTML injection vulnerabilities with the new escaping behavior

2. Test data: Use events with descriptions containing:

   • Bold/italic text
   • Links (especially the complex URL patterns your regex handles)
   • Lists and code blocks
   • Special characters

---

🔒 Security Considerations

The upgrade from v12 to v17 includes many bug fixes related to:

• Backtick and code rendering (v16.4.0)
• Link parsing edge cases (v15.0.x series)
• HTML escaping improvements (v15.0.0)

These fixes improve security by better handling edge cases that could lead to XSS vulnerabilities.

---

🚀 Performance Considerations

The changelog mentions several performance-related fixes but no major performance regressions noted. The markdown parsing happens at build time (static site), so runtime performance impact is minimal.

---

📝 Action Items Before Merge

1. Update Node.js version in all GitHub Actions workflows from 18 to 20+
2. Run local build with the new version and verify the calendar page renders correctly
3. Test edge cases in event descriptions manually
4. Consider adding tests for the formatDescription function to prevent future regressions

---

🎯 Recommendation

Do not merge yet. First update the Node.js version requirement across all workflows, then thoroughly test the markdown rendering on the calendar page.

The upgrade is worthwhile for bug fixes and security improvements, but needs the Node.js 20+ migration to proceed safely.

---

📚 Additional Context

The marked library is only used in one place:

• File: src/pages/calendar.astro:7,99
• Purpose: Converting markdown event descriptions to HTML

The relatively limited usage scope makes this a lower-risk upgrade once Node.js compatibility is addressed.

[claude]

Pull Request Review: Update dependency marked to v17

Overview

This PR updates the marked library from ^12.0.0 to ^17.0.0, which is a major version upgrade spanning 5 major versions (v12 → v17). This requires careful review due to multiple breaking changes.

---

Critical Breaking Changes & Compatibility Issues

1. Node.js Version Requirement ⚠️ ACTION REQUIRED

Issue: marked v16.0.0+ requires Node.js 20 minimum, but the project currently uses Node.js 18.

Evidence:

• .github/workflows/azure-static-web-apps-ashy-field-00e5f470f.yml:29 specifies node-version: '18'
• Breaking change in v16.0.0: "update minimum supported node version to 20"

Impact: The build will fail in CI/CD pipeline.

Recommendation: Update Node.js to version 20 in all GitHub Actions workflows.

---

2. Module Format Changes

Breaking change (v16.0.0):

• Removed ./lib/marked.cjs (CommonJS build)
• Removed ./marked.min.js (use ./lib/marked.umd.js instead)
• Primary module is now ESM-only

Current Usage: ✅ Safe

• The project uses "type": "module" in package.json:3
• Import statement uses ESM syntax in calendar.astro:7

---

3. Renderer API Changes (v13.0.0 & v14.0.0)

Breaking change: Renderers now receive token objects instead of individual parameters.

Current Usage: ✅ Safe

• The code only uses marked.setOptions() with basic options (breaks, gfm)
• No custom renderers are defined
• Uses default rendering behavior via marked.parse()

---

Security & Performance Considerations

Security Improvements ✅

v15.0.0: "escape html in renderers instead of tokenizers for all tokens"

• This improves XSS prevention by moving HTML escaping to a later, more centralized stage
• Benefit: Better protection against malicious markdown content in event descriptions

Bug Fixes Relevant to This Codebase

Multiple fixes for edge cases in markdown parsing:

• v16.x: Backtick and code rendering in links
• v15.x: Non-breaking spaces in URLs, escaped newlines in link text
• v14.x: HTML following lists, escaped tildes in strikethrough

Impact: The complex description preprocessing in formatDescription() may benefit from these fixes, potentially allowing simplification of some regex patterns.

---

Testing Recommendations

Critical Test Cases (No automated tests found)

Since no test files exist, manual testing is essential:

1. Event Description Rendering: Test various markdown formats (links, bold, italic, lists, code blocks)
2. Performance: Test calendar page load time with many events
3. XSS Prevention: Test that HTML in event descriptions is properly escaped

---

Migration Path & Risk Assessment

Risk Level: MEDIUM 🟡

Blockers:

• ❌ Node.js 18 → 20 upgrade required

Safe Aspects:

• ✅ No custom renderers (major API change doesn't affect this codebase)
• ✅ ESM-only is already in use
• ✅ Simple options configuration remains compatible

Recommended Approach

1. Before merging this PR:

   • Update Node.js version in all GitHub Actions workflows to Node 20
   • Consider adding Node.js version constraint to package.json

2. After merging:

   • Monitor build pipeline for any issues
   • Manually test event descriptions rendering
   • Consider adding automated tests for markdown rendering

---

Verdict

Conditional Approval ✅ (with required changes)

This dependency update is recommended but cannot be merged as-is due to the Node.js version requirement.

Required changes before merge:

1. Update Node.js to version 20 in all workflow files
2. Add Node.js version constraint to package.json
3. Manual testing of calendar page with various event descriptions

Benefits of upgrading:

• Improved security (better HTML escaping)
• Better CommonMark compliance
• Numerous bug fixes for edge cases
• Long-term maintainability (staying current with dependencies)

Once the Node.js version is updated, this upgrade should be safe to merge! 🚀

[claude]

Code Review: Update marked dependency to v17

This PR updates marked from v12 to v17 (5 major versions). I found critical issues that must be addressed.

Critical Issues (BLOCKER)

1. Node.js Version Incompatibility

• marked v16+ requires Node.js 20+
• Current CI uses Node.js 18 in workflows
• Impact: Build will FAIL
• Fix: Update node-version to 20 in:
  • .github/workflows/azure-static-web-apps-ashy-field-00e5f470f.yml:29
  • .github/workflows/update-calendar.yml:21

2. Breaking API Changes

• marked v13 changed renderer API (tokens instead of params)
• Current code uses basic marked.parse() so should work
• Need to test markdown rendering after upgrade

3. ESM-only (v16)

• No more CommonJS build
• Project already uses ESM so should be compatible

Security Concerns

HTML Escaping Changed (v15)

• HTML escaping moved from tokenizers to renderers
• Location: src/pages/calendar.astro:71-117 formatDescription()
• Risk: Event descriptions from external RSS feeds
• Action: Test for HTML injection vulnerabilities

Test Coverage Issues

No tests found for markdown functionality

• formatDescription() has complex regex but zero tests
• Recommend adding tests before upgrade

Required Actions

1. Update Node.js to v20 in ALL workflows
2. Test calendar page with marked v17
3. Verify no HTML injection issues
4. Add engines field to package.json

Verdict

DO NOT MERGE until Node.js version updated to 20+

After Node.js update, this is RECOMMENDED for bug fixes and security, but needs thorough testing.

[claude]

Pull Request Review: Update marked to v17

Summary

This PR updates the marked markdown parsing library from v12 to v17, which is a major version upgrade spanning 5 major versions. This requires careful consideration due to multiple breaking changes.

---

Critical Issues

🚨 Breaking Change: Node.js Version Requirement

• Issue: marked v16+ requires Node.js 20 as the minimum supported version
• Current Setup: Your CI workflows use Node.js 18 (.github/workflows/azure-static-web-apps-ashy-field-00e5f470f.yml:29)
• Impact: This will cause build failures in CI/CD
• Action Required: Update Node.js to version 20+ before merging

# .github/workflows/azure-static-web-apps-ashy-field-00e5f470f.yml
- name: Setup Node.js
  uses: actions/setup-node@v3
  with:
    node-version: '20'  # Update from 18 to 20

⚠️ Breaking Change: Module System Changes

• Issue: v16 removed CommonJS build and now uses ESM primarily
• Your Setup: Your package.json correctly specifies "type": "module", so this should be compatible
• Potential Risk: If any scripts or dependencies rely on CommonJS, they may break

---

Code Quality & Best Practices

✅ Good News: Your Usage is Compatible

The code in src/pages/calendar.astro uses:

• marked.parse() - Still supported ✓
• marked.setOptions() - Still supported ✓
• Simple import: import { marked } from 'marked' - Still supported ✓

Your usage pattern is straightforward and should work with v17.

---

Potential Bugs & Issues

1. HTML Escaping Changes (v15)

• Change: HTML is now escaped in renderers instead of tokenizers
• Impact: Event descriptions with HTML content may render differently
• Risk Level: Low (your code uses markdown, not raw HTML)

2. Renderer API Changes (v13)

• Change: Renderers now receive token objects instead of individual parameters
• Impact: Your code doesn't use custom renderers, so no impact
• Risk Level: None for your codebase

---

Performance Considerations

✅ Improvements

• Multiple bug fixes for markdown parsing edge cases (v13-v17)
• Better handling of:
  • Backticks and code in links
  • Strikethrough inside strong/em tags
  • Malformed markdown links
  • Escaped characters

These improvements may actually fix some of the malformed markdown issues you're currently working around in your formatDescription() function (lines 76-96 in calendar.astro).

---

Security Concerns

✅ No Security Vulnerabilities Identified

• This is a Renovate bot dependency update
• The marked library is well-maintained with regular security patches
• v17 includes fixes for various parsing edge cases that improve robustness

---

Test Coverage

⚠️ Missing Test Coverage

• Issue: No test suite detected in the repository
• Risk: Cannot automatically verify the upgrade doesn't break functionality
• Recommendation:
  1. Manually test the calendar page after upgrade
  2. Verify event descriptions render correctly
  3. Check various markdown formats (links, bold, italic, lists, code blocks)

---

Recommendations

Required Before Merge:

1. Update Node.js to v20 in all GitHub Actions workflows
2. Manual testing of the calendar page with various markdown event descriptions
3. Verify build succeeds locally with npm run build

Optional Improvements:

1. Consider simplifying your formatDescription() function after upgrade - many of the regex workarounds may no longer be needed
2. Add basic integration tests for markdown rendering
3. Consider updating other workflows that might be using Node 18

Suggested Merge Plan:

# 1. Update Node.js version in CI
# 2. Test build locally
npm install
npm run build
npm run preview

# 3. Verify calendar page renders correctly
# 4. Then merge this PR

---

Verdict

🟡 CONDITIONAL APPROVAL - The dependency update is good and includes useful improvements, but requires Node.js 20 upgrade first. Without updating Node.js, this PR will break CI/CD builds.

Recommended Action:

1. Update Node.js to v20 in CI workflows (separate PR or include in this one)
2. Test thoroughly
3. Then merge

---

Risk Level: Medium (due to multiple major version jumps and Node.js requirement)
Breaking Changes: 2 identified (Node.js version, module system)
Code Compatibility: High (your usage patterns are compatible)

[claude]

Pull Request Review: Update dependency marked to v17

Summary

This PR updates the marked library from v12.0.0 to v17.0.0 - a major version upgrade spanning 5 major versions (v12 → v17). The library is used in src/pages/calendar.astro to parse markdown descriptions in calendar events.

---

Code Quality and Best Practices ✅

Positive:

• The upgrade follows semantic versioning conventions
• Package lock file (yarn.lock) is properly updated with integrity hashes
• The codebase uses marked in a straightforward manner with basic configuration

Concerns:
None - the current usage is clean and appropriate.

---

Potential Bugs or Issues ⚠️

CRITICAL - Breaking Changes:

1. Node.js Version Compatibility Issue 🔴

   • marked v16+ requires Node.js 20+ minimum
   • Current CI/CD uses Node.js 18 (.github/workflows/azure-static-web-apps-ashy-field-00e5f470f.yml:29)
   • This will cause deployment failures unless Node version is upgraded first

2. API Changes (v13.0.0) - LOW RISK ⚠️

   • Renderers now receive token objects instead of parameters
   • Current code only uses marked.parse() and marked.setOptions() - both unchanged
   • No custom renderers are used, so no code changes needed

3. Output Type Changes - MINIMAL RISK ⚠️

   • The code already handles this correctly at calendar.astro:102

4. Module Format Changes (v16.0.0) - MINIMAL RISK ⚠️

   • CommonJS build removed in favor of ESM
   • Project already uses "type": "module" in package.json:3 ✅
   • Import statement uses ESM: import { marked } from 'marked' ✅

---

Performance Considerations 🚀

Improvements from v12 → v17:

• Better markdown parsing performance
• Improved regex handling for edge cases
• Fixes for various parsing bugs (backticks, links, strikethrough, etc.)

Impact:

• Minimal - marked is only used during static site generation, not runtime
• No client-side performance impact

---

Security Concerns 🔒

Positive Changes:

• v15.0.0: HTML escaping now happens in renderers instead of tokenizers (more secure)
• Multiple bug fixes for parsing edge cases that could cause issues

Current Security Posture:

• Event descriptions are processed with set:html at calendar.astro:188 and :255
• Content comes from calendar-events.json (trusted source under version control)
• No XSS risk since content is not user-generated at runtime

Recommendation:
Continue current practices - the upgrade improves security.

---

Test Coverage ❌

CRITICAL ISSUE:

• No automated tests found for the markdown rendering functionality
• No test files exist in the project (.test.js, .spec.js)
• This major upgrade is being merged without verification that:
  • Existing event descriptions still render correctly
  • Edge cases in URL parsing still work
  • Custom regex replacements in formatDescription() still function

Recommendation:
Before merging, manually verify:

1. Navigate to /calendar page locally after upgrade
2. Check that event descriptions with markdown render correctly
3. Verify links, bold text, and line breaks display properly
4. Test with events that have complex descriptions

---

Required Actions Before Merge 🛑

1. Update Node.js version to 20+ in .github/workflows/azure-static-web-apps-ashy-field-00e5f470f.yml

2. Check other workflow files - Update Node version in all workflows:

   • .github/workflows/update-calendar.yml
   • .github/workflows/weekly-meetups.yml
   • .github/workflows/validate-json.yml
   • Any other workflows using Node.js

3. Manual testing - Verify calendar page renders correctly with the upgrade

4. Consider adding package.json engines field

---

Verdict

Status: ⚠️ NEEDS CHANGES - DO NOT MERGE YET

Reasoning:
While the marked upgrade itself is beneficial and low-risk for this codebase's usage pattern, the Node.js 18 → 20 version mismatch will cause CI/CD failures. This must be resolved first.

Suggested Merge Order:

1. Merge a PR updating Node.js to v20 in all workflows
2. Then merge this dependency update
3. Verify deployment succeeds

The code quality is good and the upgrade brings security and bug fixes, but the infrastructure must support the new requirements first.

[claude]

Pull Request Review: Update dependency marked to v17

Thank you for this dependency update! I've reviewed the changes and have the following feedback:

Overview

This PR updates the marked library from v12.0.0 to v17.0.0, which is a major version upgrade spanning 5 major versions. The library is currently only used in one file: src/pages/calendar.astro for parsing Markdown event descriptions.

---

Breaking Changes Analysis

Based on the marked release notes, several critical breaking changes affect this project:

1. Node.js Version Requirement (v16.0.0)

• Impact: HIGH
• Issue: Minimum Node.js version increased from previous to v20
• Current Setup: CI uses Node.js 18 (azure-static-web-apps-ashy-field-00e5f470f.yml:29)
• Action Required: Update .github/workflows/azure-static-web-apps-ashy-field-00e5f470f.yml to use Node 20+

- name: Setup Node.js
  uses: actions/setup-node@v3
  with:
    node-version: '20'  # Currently set to '18'

2. CommonJS Build Removed (v16.0.0)

• Impact: MEDIUM
• Issue: Removed ./lib/marked.cjs - now ESM-only
• Current Setup: Project uses "type": "module" in package.json ✅
• Status: Should be compatible, but needs testing

3. API Changes (v13.0.0 - Renderer Changes)

• Impact: LOW (for this project)
• Issue: Renderers now receive token objects instead of multiple parameters
• Current Usage: This project uses marked.parse() directly without custom renderers ✅
• Status: No changes needed

4. HTML Escaping Changes (v15.0.0)

• Impact: LOW-MEDIUM
• Issue: HTML is now escaped in renderers instead of tokenizers
• Current Usage: The calendar page displays user-generated content from RSS feeds
• Security Note: This change improves XSS protection, which is good for this use case

---

Code Quality & Compatibility

Current Usage in calendar.astro:12-15, 99:

marked.setOptions({
  breaks: true,
  gfm: true
});
const html = marked.parse(processedDescription);

✅ Good news: The API methods used (setOptions and parse) remain stable across all versions.

---

Potential Issues & Risks

🔴 Critical: Node.js Version Mismatch

• CI will fail with Node 18 if marked v17 requires Node 20
• Recommendation: Test build locally with Node 20, or update CI to Node 20

🟡 Medium: Large Version Jump

• Jumping from v12 to v17 skips significant changes
• Recommendation: Review the full changelog for any edge cases

🟡 Medium: No Test Coverage

• No automated tests exist for markdown rendering
• Recommendation: Manually test event descriptions render correctly, especially:
  • Links with special characters (already has URL fixes in code)
  • Lists and code blocks
  • Bold/italic formatting
  • Line breaks (breaks: true option)

---

Security Considerations

✅ Positive: The v15.0.0 change to escape HTML in renderers improves XSS protection for user-generated content from RSS feeds.

✅ No Known Vulnerabilities: No security advisories mentioned in the release notes for the versions being skipped.

---

Performance Considerations

⚠️ Unknown: No specific performance improvements or regressions mentioned in release notes. Given the library is only used on a single page for event descriptions, performance impact should be minimal.

---

Testing Recommendations

Before merging, please test the following:

1. Build Process:

   npm run build

2. Calendar Page Rendering:

   • Visit /calendar page
   • Verify event descriptions render correctly
   • Check for any broken markdown formatting
   • Test with various markdown patterns (links, lists, bold, italic)

3. CI Pipeline:

   • Either update Node.js version to 20 in CI, or test that build succeeds with Node 18

4. Weekly Meetups Script:

   • While marked isn't directly used in scripts, verify npm run update-calendar still works

---

Recommendations

Before Merging:

1. ✅ Update Node.js version in CI to v20 (or verify build works with Node 18)
2. ✅ Test build locally with npm run build
3. ✅ Preview the calendar page with npm run preview
4. ✅ Check for any console errors or warnings

Future Improvements:

• Consider adding automated tests for markdown rendering
• Consider adding a visual regression test for the calendar page
• Lock marked to a specific version range (e.g., "marked": "~17.0.0") instead of caret (^) to avoid unexpected future breaking changes

---

Conclusion

Overall Assessment: This update includes important breaking changes that require attention before merging.

Merge Readiness: ⚠️ NOT READY - Requires Node.js version update in CI workflow

Recommended Action:

1. Update Node.js to v20 in .github/workflows/azure-static-web-apps-ashy-field-00e5f470f.yml
2. Test the build and calendar page rendering
3. Once verified, this PR can be safely merged

The upgrade itself is beneficial for security and future compatibility, but needs the prerequisite Node.js version bump to work properly.

[claude]

Pull Request Review: Update dependency marked to v17

Summary

This PR updates the marked dependency from v12 to v17, a major upgrade spanning 5 major versions with breaking changes.

Critical Issues - BLOCKERS

Node.js Version Compatibility (BLOCKER)

• Issue: marked v16+ requires Node.js 20 minimum
• Current: Project uses Node.js 18 in azure-static-web-apps workflow
• Impact: This will fail in CI/CD and production
• Required: Update to Node 20+ in all workflows and deployment

Module System Changes

• marked v16 removed CommonJS, now ESM only
• Project uses type: module so should be compatible
• Testing required to verify imports work

Major API Changes

Renderer API (v13): Renderers now get token objects instead of parameters. Current usage only uses default renderer so should not break.

HTML Escaping (v15): HTML now escaped in renderers vs tokenizers. Could affect event descriptions with HTML entities.

Security Considerations

Positive: Many bug fixes for markdown parsing edge cases including backticks in links, emstrong tokens, HTML comments, and strikethrough rendering. Improves security.

Testing Required

1. Build with Node 20+
2. Test calendar page rendering
3. Verify markdown features work: links, code, lists, formatting, HTML entities
4. Test with real event data

Missing Test Coverage

No automated tests for markdown parsing. Recommend adding unit tests for formatDescription function.

Recommendations

BEFORE MERGING:

1. DO NOT MERGE until Node.js 20+ deployed to workflows and Azure
2. Add engines field to package.json requiring node >=20
3. Manual testing of calendar page
4. Consider adding automated tests

AFTER MERGING:

1. Monitor for rendering issues
2. Simplify regex preprocessing if v17 fixes make it redundant

Verdict

Status: BLOCK - DO NOT MERGE YET

Infrastructure updates required first. Once Node 20+ is deployed, this upgrade is advisable for bug fixes and security.

Priority: Medium-High
Effort: Medium

[claude]

Pull Request Review: Update dependency marked to v17

Summary

This PR updates the marked package from v12.0.0 to v17.0.0, a major version upgrade spanning 5 major versions.

Critical Concerns

1. Node.js Version Compatibility - BLOCKING ISSUE

Problem: The current CI/CD workflows use Node.js 18, but marked v16+ requires Node.js 20+.

Evidence:

• All GitHub Actions workflows use node-version 18
• marked v16.0.0 breaking change: update minimum supported node version to 20

Required Action: Update all workflow files to use Node.js 20

Files to update:

• .github/workflows/update-calendar.yml
• .github/workflows/azure-static-web-apps-ashy-field-00e5f470f.yml

Breaking Changes Analysis

1. ESM Module Changes (v16.0.0)

• Status: No action needed - project already uses ESM

2. API Changes (v13.0.0 - v17.0.0)

The codebase uses marked.setOptions and marked.parse which remain compatible.

• Status: No code changes needed

3. Renderer Changes (v13.0.0)

• Status: No impact - project does not extend the renderer

Code Quality Assessment

Current usage in src/pages/calendar.astro is robust with:

• Clean error handling with try-catch
• Proper fallback if parsing fails
• Good pre-processing of malformed markdown
• Type safety with TypeScript

Testing Considerations

No test suite detected. Recommended manual testing:

1. Test markdown rendering on calendar page
2. Verify prebuild script works
3. Test automated calendar updates

Performance Considerations

Positive impacts expected:

• Regex optimizations in v15+
• Bug fixes for parsing edge cases
• Bundle size optimizations

Security Review

No security concerns identified. Package is from official markedjs/marked repository.

Recommendation

DO NOT MERGE YET

Prerequisites before merging:

1. Update Node.js version to 20 in all GitHub Actions workflows
2. Test the build locally with Node 20
3. Manually test calendar page markdown rendering
4. Verify automated calendar update scripts work

Once prerequisites are met: This is a safe upgrade with significant bug fixes.

Overall assessment: Beneficial upgrade, but Node.js 20 requirement must be addressed first.

[claude]

Pull Request Review: Update dependency marked to v17

Summary

This PR upgrades the marked library from ^12.0.0 to ^17.0.0, a major version update spanning 5 major versions. The change is minimal in scope (only updating package.json and yarn.lock), but the upgrade introduces significant breaking changes that need careful consideration.

---

Critical Issues

🔴 BREAKING CHANGE: Node.js Version Requirement

• Issue: marked v16.0.0 requires Node.js 20+ as a minimum (currently the project uses Node.js 18 in CI/CD)
• Location: .github/workflows/azure-static-web-apps-ashy-field-00e5f470f.yml:29
• Impact: The build will fail in the Azure Static Web Apps deployment pipeline
• Recommendation:
  • Update Node.js version to 20 in the GitHub Actions workflow
  • Consider updating .github/workflows/update-calendar.yml, weekly-meetups.yml, and other workflows to use Node.js 20 as well

🔴 BREAKING CHANGE: Module Format

• Issue: marked v16.0.0 removed CommonJS build and only provides ESM
  • Removed ./lib/marked.cjs
  • Removed ./marked.min.js (replaced by ./lib/marked.umd.js)
• Current Usage: The project uses ESM imports (import { marked } from 'marked' in src/pages/calendar.astro:7), so this should be compatible
• Impact: Low - project already uses ESM format
• Recommendation: No changes needed, but be aware that CommonJS is no longer available

⚠️ API Changes in v13.0.0

• Issue: Renderer API changed to accept token objects instead of multiple parameters
• Current Usage: The code uses marked.parse() and marked.setOptions() (lines 12-15, 99 in calendar.astro)
• Impact: Low - the basic parse() API remains unchanged, but if you have any custom renderers, they would need updates
• Recommendation: Test the formatDescription() function thoroughly to ensure markdown parsing still works correctly

---

Code Quality & Best Practices

✅ Good: Minimal API Surface

The codebase only uses basic marked functionality:

• marked.setOptions() for configuration
• marked.parse() for parsing markdown
  This reduces the risk of breaking changes affecting the code.

⚠️ Concern: Complex Markdown Pre-processing

The formatDescription() function (lines 71-117) contains extensive regex-based pre-processing to fix malformed markdown. This suggests:

1. Input data quality issues that should be addressed at the source
2. Potential fragility when the markdown parser behavior changes

Recommendation: Consider adding validation/sanitization at data ingestion time rather than patching in the presentation layer.

---

Security Considerations

✅ Positive: HTML Escaping Improvements

marked v15.0.0 improved HTML escaping by moving it from tokenizers to renderers, which provides better XSS protection. This is a security enhancement for your use case since event descriptions are rendered with set:html.

⚠️ Advisory: Review Event Description Rendering

Since event descriptions are rendered as raw HTML (set:html={formatDescription(event.description)} on lines 188, 255), ensure:

1. Event descriptions from external sources are trustworthy
2. The markdown parser's HTML escaping is sufficient
3. Consider using a Content Security Policy (CSP) for defense in depth

---

Performance Considerations

ℹ️ Build Size

The new versions include minified builds and may have different bundle sizes. The impact should be negligible for a static site, but worth monitoring.

ℹ️ Parser Performance

Multiple versions included performance improvements and bug fixes for:

• Backtick parsing
• Link handling
• List rendering
• Emphasis/strong/strikethrough processing

These may slightly improve page build times when processing event descriptions.

---

Test Coverage

🔴 Critical: No Tests Found

• Issue: No test files found in the repository
• Impact: Cannot verify that markdown parsing behavior remains consistent across this major version upgrade
• Recommendation:
  1. Manually test the calendar page with various markdown patterns in event descriptions
  2. Verify edge cases like:
     • Links with special characters
     • Nested formatting (bold within links, etc.)
     • Code blocks and inline code
     • Lists (ordered and unordered)
  3. Consider adding integration tests for critical paths

---

Migration Checklist

Before merging this PR, please:

• Update Node.js version to 20+ in all GitHub Actions workflows
• Test calendar page rendering with various markdown patterns in event descriptions
• Verify the build process completes successfully in CI/CD
• Check for console errors related to markdown parsing
• Review event descriptions on the deployed site for rendering issues
• Consider adding test coverage for markdown rendering functionality

---

Release Notes Summary

Key improvements from v12 to v17:

• ✅ Better HTML escaping (security)
• ✅ Improved backtick and code rendering
• ✅ Better link parsing with special characters
• ✅ Bug fixes for lists, tables, and emphasis rendering
• ✅ New extensibility features (hooks, async support)

Breaking changes to be aware of:

• ⚠️ Node.js 20+ requirement
• ⚠️ CommonJS removed (ESM only)
• ⚠️ Renderer API changes (if using custom renderers)

---

Recommendation

❌ DO NOT MERGE until Node.js version is updated to 20+ in CI/CD workflows.

Once the Node.js version is updated:

1. Test thoroughly on a preview deployment
2. Verify calendar page markdown rendering
3. Then merge with confidence

The upgrade itself is beneficial (security improvements, bug fixes), but requires infrastructure updates first.

[claude]

Pull Request Review: Update dependency marked to v17

Summary

This PR updates the marked library from v12.0.0 to v17.0.0, a major version bump that includes several breaking changes and improvements.

---

Code Quality & Best Practices ✅

Positive aspects:

• Clean, automated dependency update via Renovate
• Minimal changes (only package.json and yarn.lock)
• Comprehensive release notes provided

---

Breaking Changes Analysis ⚠️

The update includes multiple breaking changes that need careful consideration:

1. Node.js Version Requirement (v16.0.0 - CRITICAL)

• Breaking: Minimum Node.js version increased from previous to Node 20
• Current CI/CD: Uses Node 18 (see .github/workflows/azure-static-web-apps-ashy-field-00e5f470f.yml:29)
• Impact: ❌ This will break your CI/CD pipeline
• Recommendation: Update GitHub Actions to use Node 20+ before merging

# Current (line 29):
node-version: '18'

# Should be:
node-version: '20'

2. CommonJS Removal (v16.0.0)

• Breaking: ./lib/marked.cjs removed, only ESM available
• Impact: ✅ No issue - your project uses "type": "module" in package.json
• Your import (import { marked } from 'marked') will continue to work

3. Renderer API Changes (v13.0.0)

• Breaking: Renderers now receive token objects instead of multiple parameters
• Current Usage: calendar.astro:99 uses marked.parse() only (not custom renderers)
• Impact: ✅ No code changes needed - you're not using custom renderers

4. File Path Changes

• ./marked.min.js removed → use ./lib/marked.umd.js instead
• Minified files now at ./lib/marked.esm.js and ./lib/marked.umd.js
• Impact: ✅ No issue - you import from package name, not specific paths

---

Potential Bugs & Issues 🔍

Low Risk Items:

1. marked.setOptions() usage (calendar.astro:12-15)

   • Options breaks and gfm are still supported in v17
   • ✅ No changes needed

2. marked.parse() return type (calendar.astro:99)

   • The code already handles both string and non-string returns (line 102)
   • In async mode, marked.parse() returns a Promise, but you're using sync mode
   • ✅ Current defensive handling is good

3. HTML Escaping Changes (v15.0.0)

   • HTML now escaped in renderers instead of tokenizers
   • Your descriptions may render differently if they contain HTML
   • ⚠️ Test recommendation: Verify event descriptions render correctly

---

Performance Considerations 📊

Improvements in v17:

• Better regex performance (punctuation handling optimizations)
• Improved parsing for edge cases (backticks, links, strikethrough)
• ESM-only build may have better tree-shaking

No Performance Concerns: Your usage is straightforward - parsing event descriptions at build time only.

---

Security Concerns 🔒

✅ No security issues identified

• HTML escaping is now more robust (moved to renderer layer)
• Multiple security-related bug fixes in the release history
• Sanitization improvements in link parsing

Good existing practices:

• Using set:html which Astro sanitizes appropriately
• External links properly use target="_blank" rel="noopener noreferrer"

---

Test Coverage 📝

⚠️ Missing:

• No automated tests detected in the repository
• No test files for the calendar page or markdown parsing

Recommendations:

1. Manual testing required before merging:

   • View calendar page in preview
   • Verify event descriptions with various markdown elements render correctly:
     • Links (especially the complex URL patterns you handle in formatDescription())
     • Bold/italic text
     • Lists
     • Line breaks
   • Check for any HTML escaping issues

2. Consider adding integration tests for critical functionality like markdown parsing

---

Migration Checklist ✅

Before merging this PR:

• Update Node.js version in GitHub Actions workflows (18 → 20)
  • .github/workflows/azure-static-web-apps-ashy-field-00e5f470f.yml
  • Any other workflows using Node.js
• Test calendar page locally with npm run dev
• Verify event descriptions render correctly (especially those with complex markdown/HTML)
• Run full build with npm run build to ensure no issues
• Preview production build with npm run preview
• Consider updating package.json engines field to document Node 20 requirement

---

Additional Notes

Why this update is worthwhile:

• Bug fixes for edge cases in markdown parsing
• Improved CommonMark/GFM compliance
• Better TypeScript support
• Active maintenance and security patches

Estimated effort: Low to Medium

• Simple changes to CI/CD configuration
• Manual testing required
• No code changes needed (if Node version updated)

---

Recommendation

⚠️ DO NOT MERGE AS-IS

This PR requires updating the Node.js version in CI/CD workflows first. Once that's done and manual testing passes, this is a safe and beneficial upgrade.

Suggested approach:

1. Update GitHub Actions workflows to use Node 20
2. Test locally with Node 20
3. Merge and monitor for any issues

---

Review conducted following repository guidelines in CLAUDE.md

[claude]

Pull Request Review: Update dependency marked to v17

Summary

This PR upgrades the marked library from v12 to v17, which represents a major version jump spanning 5 major releases. While this is a Renovate-generated dependency update, there are critical breaking changes that need to be addressed before merging.

---

🚨 Critical Issues

1. Node.js Version Incompatibility - BLOCKING

Severity: Critical
Impact: Build failures in CI/CD

Issue:

• marked v16+ requires Node.js 20+ (per breaking changes in v16.0.0)
• Current CI/CD workflow uses Node.js 18 (.github/workflows/azure-static-web-apps-ashy-field-00e5f470f.yml:29)

Evidence from Release Notes:

"update minimum supported node version to 20"

Action Required:
Update the GitHub Actions workflow to use Node.js 20:

- name: Setup Node.js
  uses: actions/setup-node@v3
  with:
    node-version: '20'  # Changed from '18'

This must be updated in:

• .github/workflows/azure-static-web-apps-ashy-field-00e5f470f.yml
• Any other workflows using Node.js

---

2. Breaking Changes in API Usage

Severity: Medium
Impact: Potential runtime errors

Current Usage in Codebase:
The project uses marked.parse() in src/pages/calendar.astro:99

Breaking Changes to Review:

v13.0.0 - Renderer API Changes:

• Renderers now receive token objects instead of multiple parameters

v14.0.0 - Old Renderer Removed:

• Removed old renderer completely

v15.0.0 - HTML Escaping Changes:

• HTML now escaped in renderers instead of tokenizers
• May affect how HTML entities are handled in descriptions

v16.0.0 - Module Format Changes:

• Removed CommonJS build
• May break Jest tests

Current Code Impact:
The HTML escaping changes in v15 could affect how event descriptions are rendered, especially since the code uses set:html to inject the output.

---

⚠️ Potential Issues

3. Test Coverage Concerns

Severity: Medium

Issue:

• No visible test suite for the formatDescription() function that uses marked
• HTML escaping changes could alter output behavior

Recommendation:
Add tests to verify:

• Event descriptions render correctly
• No XSS vulnerabilities introduced
• Markdown formatting works as expected

---

✅ Positive Aspects

1. Security Improvements: Multiple bug fixes for parsing edge cases
2. Better CommonMark Compliance: Improved GFM compatibility
3. Bug Fixes: Numerous fixes for link parsing, lists, tables
4. Active Maintenance: Well-maintained project

---

📋 Pre-Merge Checklist

• Update Node.js to version 20 in all GitHub Actions workflows
• Test the build locally with Node.js 20
• Verify calendar page rendering
• Test edge cases in formatDescription()
• Check for console errors during build
• Consider adding tests for markdown parsing
• Update package.json engines field (optional but recommended)

---

🎯 Final Verdict

Recommendation: ⛔ Request Changes - Do Not Merge Yet

Reasoning:
This PR cannot be merged due to the Node.js 20 requirement. The CI/CD pipeline will fail with Node.js 18.

Next Steps:

1. Update Node.js version to 20 in all workflows
2. Test thoroughly
3. Then merge

---

Review Completed: 2025-11-12
Reviewed Against: Project's CLAUDE.md guidelines and Astro best practices

[claude]

Pull Request Review: Update marked from v12 to v17

Overview

This PR updates the marked library from v12.0.0 to v17.0.0 - a major version upgrade that spans 5 major versions with significant breaking changes.

---

🔴 Critical Issues

1. Breaking Changes Not Addressed

The upgrade from v12 to v17 includes several breaking changes that need verification:

v16.0.0 Breaking Changes:

• Removed CommonJS build (./lib/marked.cjs) - now ESM only
• Minimum Node.js version raised to 20
• File structure changes: ./marked.min.js removed, use ./lib/marked.umd.js instead
• Potential Jest compatibility issues requiring transformIgnorePatterns configuration

v15.0.0 Breaking Changes:

• HTML escaping moved from tokenizers to renderers for all tokens
• Regex handling moved to rules

v14.0.0 Breaking Changes:

• Old renderer removed (must use new renderer)
• Async option handling changes

v13.0.0 Breaking Changes:

• Renderer API changed to accept token objects instead of multiple parameters
• New token types added (TableRow, Checkbox, space tokens)
• this.parser.parseInline() required for rendering inline tokens

Impact on /src/pages/calendar.astro:
The code currently uses:

marked.setOptions({
  breaks: true,
  gfm: true
});
const html = marked.parse(processedDescription);

✅ Good news: The basic marked.parse() API and setOptions() appear stable across versions.

---

⚠️ High Priority Concerns

2. No Test Coverage

• The repository has zero test files (no *.test.* or *.spec.* files found)
• This is a major upgrade affecting Markdown parsing in production
• Changes in Markdown parsing behavior between v12-v17 cannot be validated automatically
• Risk: Silent rendering changes could affect event descriptions on the calendar page

Recommendation: Create regression tests for the formatDescription() function in calendar.astro:71-117 before merging.

3. Node.js Version Compatibility

• v16+ requires Node.js 20 as minimum
• Need to verify: What Node.js version is used in:
  • Local development
  • CI/CD pipeline (GitHub Actions)
  • Production deployment

Action Required: Check .github/workflows/*.yml for Node.js version configuration.

---

📋 Code Quality Assessment

Positive Aspects:

1. Limited scope: Only one file (calendar.astro) uses marked
2. Simple usage: Only using marked.parse() and setOptions() - not custom renderers
3. Error handling: Has try-catch around marked.parse() with fallback (lines 74-116)

Areas of Concern:

1. Complex preprocessing: The formatDescription() function has 20+ regex replacements before parsing (lines 76-96)
   • These may interact differently with new marked versions
   • Some patterns are duplicated (e.g., lines 82, 90, 96)
   • This suggests data quality issues upstream

---

🔒 Security Considerations

1. No direct security issues with the upgrade itself
2. HTML injection protection: marked v15+ moved HTML escaping to renderers (should be safer)
3. User content: Event descriptions are from external RSS feeds and manual JSON - ensure these are sanitized
4. Output handling: Using Astro's set:html directive (line 188, 255) - verify Astro handles sanitization

---

⚡ Performance Considerations

1. Build time: Minimal impact - only used at build time for static generation
2. Bundle size: Changes unknown - check bundle size difference
3. Parsing performance: Marked v13-17 includes numerous parsing improvements and bug fixes

---

✅ Testing Recommendations

Before merging, manually test these scenarios:

1. Basic Markdown:

   • Headings, bold, italic, links
   • Lists (ordered/unordered)
   • Code blocks and inline code

2. Edge cases from your preprocessor:

   • URLs with escaped characters
   • Malformed markdown links
   • Double brackets: [[link]](url)
   • URLs ending with periods

3. GFM features:

   • Strikethrough
   • Tables (if used)
   • Task lists

4. Line breaks: The breaks: true option - verify \n → <br> still works

---

📝 Recommendations

Before merging:

1. ✅ Verify Node.js 20+ in all environments (dev, CI, prod)
2. ✅ Run npm run build and verify no errors
3. ✅ Manually test calendar page rendering with various event descriptions
4. ✅ Check bundle size difference: ls -lh dist/
5. ✅ Review 20+ recent commits to marked for relevant changes: https://github.com/markedjs/marked/releases

After merging:

1. 🔨 Add unit tests for formatDescription() function
2. 🔨 Add integration tests for calendar page rendering
3. 🔨 Consider cleaning up duplicate regex patterns
4. 🔨 Investigate fixing data quality issues upstream instead of patching in preprocessor

Consider:

• Splitting this into a gradual upgrade (v12→v13→v14→v15→v16→v17) to isolate issues
• Using a visual regression testing tool to catch rendering differences

---

📊 Risk Assessment

Category	Risk Level	Rationale
Breaking Changes	🟡 Medium	Simple API usage, but untested across 5 major versions
Runtime Errors	🟢 Low	Good error handling with fallback
Rendering Changes	🟡 Medium	No visual regression tests
Security	🟢 Low	Improved escaping in v15+
Performance	🟢 Low	Build-time only

Overall Risk: 🟡 MEDIUM - Acceptable with proper testing

---

🎯 Verdict

APPROVE with conditions:

This dependency update is reasonable and includes many bug fixes and improvements. The risk is manageable because:

• Simple API usage (no custom renderers/extensions)
• Good error handling with fallback
• Static site generation (errors caught at build time)
• Only one file affected

However, DO NOT merge until:

1. Node.js version compatibility verified
2. Manual testing completed on calendar page
3. Build succeeds without errors
4. Visual inspection shows no rendering regressions

---

📚 Additional Resources

• Marked v17 Release Notes
• Marked v16 Release Notes
• Marked v13 Migration Guide (major renderer changes)

---

Generated by Claude Code

[claude]

Pull Request Review: Update dependency marked to v17

Summary

This PR updates the marked markdown parser from v12 to v17, spanning 5 major versions with significant breaking changes. Overall assessment: Request Changes - requires testing and potential Node.js version upgrade.

---

Critical Issues

1. Node.js Version Compatibility (BLOCKING)

• Issue: Marked v16+ requires Node.js 20+ as minimum version
• Current State: All GitHub Actions workflows use Node.js 18
  • azure-static-web-apps-ashy-field-00e5f470f.yml:29
  • update-calendar.yml, weekly-meetups.yml, validate-json.yml, process-event-submission.yml
• Impact: Build failures in CI/CD pipeline
• Required Action: Update all workflow files to use node-version: '20' before merging

2. Breaking API Changes

From the release notes, marked v13-v17 introduced several breaking changes:

v16.0.0 - Major Build Changes:

• Removed CommonJS build (./lib/marked.cjs)
• Removed ./marked.min.js (use ./lib/marked.umd.js instead)
• Changed to ESM-first approach

v13.0.0 - Renderer API Changes:

• Renderers now receive token objects instead of multiple parameters
• Added new space renderer
• Added parser property to Renderer object
• Block text tokens sent to text renderer

Impact on codebase:

• Current usage in src/pages/calendar.astro:7 uses import { marked } from 'marked' ✅ (ESM import is fine)
• Current usage in src/pages/calendar.astro:12-15 uses marked.setOptions() ✅ (API still compatible)
• Current usage in src/pages/calendar.astro:99 uses marked.parse() ✅ (API still compatible)

---

Code Quality & Best Practices

Positive Aspects ✅

1. Simple API Usage: The codebase only uses basic marked APIs (setOptions, parse) which remain stable
2. Error Handling: Good try-catch block around marked.parse() at line 74-116
3. Security: Descriptions are sanitized through markdown parsing before HTML output

Concerns ⚠️

1. No Test Coverage

   • The formatDescription() function (lines 71-117) has complex markdown preprocessing logic
   • No automated tests exist for this functionality
   • Risk: Breaking changes in markdown parsing behavior could go undetected
   • Recommendation: Add unit tests for the markdown formatting function

2. Complex Preprocessing Logic

   • Multiple regex transformations (lines 76-96) for fixing malformed markdown
   • This complexity suggests issues with upstream data quality
   • These regexes may need adjustment if marked's parsing behavior changes

---

Performance Considerations

Improvements in v17:

• Better CommonMark compliance (various bug fixes)
• Improved handling of edge cases (backticks, links, em/strong)
• More efficient parsing (no specific metrics in release notes)

Potential Issues:

• None identified for this use case (static build-time parsing)

---

Security Concerns

Positive Security Fixes:

• v15.0.0: Escape HTML in renderers instead of tokenizers (more secure)
• Better handling of malformed input throughout version updates

Current Security Posture:

• Site uses set:html directive (line 188, 255) to inject markdown-parsed content
• This is safe as marked escapes HTML by default (confirmed in v15.0.0 changes)
• No XSS vulnerabilities identified

---

Recommendations

Before Merging:

1. Update Node.js Version (Required)

   # Update in all workflow files:
   - node-version: '20'  # Change from '18'

2. Test Markdown Rendering (Strongly Recommended)

   • Build site locally with new marked version
   • Verify calendar page renders correctly
   • Check that complex event descriptions parse properly
   • Focus on testing edge cases that your regex preprocessing handles

3. Add Automated Tests (Recommended)

   // Consider adding tests for formatDescription()
   // Test cases: malformed URLs, nested brackets, escaped characters

4. Review Markdown Processing

   • Consider if any preprocessing regexes can be simplified
   • Document why specific transformations are needed

After Merging:

1. Monitor for any markdown rendering issues on production
2. Check GitHub Actions builds pass successfully
3. Review any user-reported display issues with event descriptions

---

Verdict

Status: 🔴 Request Changes

Rationale: While the code changes are minimal (just dependency versions), the Node.js 20 requirement is a blocking issue. The current CI/CD pipeline uses Node.js 18 and will fail with marked v16+.

Action Items:

1. ✅ Update all GitHub Actions workflows to Node.js 20
2. ✅ Test markdown rendering locally before merge
3. 📋 Consider adding tests for markdown formatting (future improvement)

Once Node.js version is updated in all workflows, this PR should be safe to merge. The marked API usage in this codebase is straightforward and compatible with v17.

[claude]

Pull Request Review: Update marked dependency to v17

Overview

This PR updates the marked library from v12 to v17, representing a major version jump that includes several breaking changes and new features.

---

Code Quality & Best Practices ✅

Positive Aspects:

• The dependency update is managed through Renovate, which provides good visibility into changes through automated PRs
• The caret (^) version constraint is maintained, allowing for future patch and minor updates
• Lock file is properly updated to reflect the new version

Observations:

• Current usage in src/pages/calendar.astro:7 is relatively simple (just marked.parse() and marked.setOptions())
• The code uses standard marked API that should remain compatible

---

Breaking Changes Assessment ⚠️

Based on the PR description, the major version jumps include several breaking changes:

v16.0.0 Breaking Changes:

• Node.js requirement increased to v20+ - Ensure your CI/CD and deployment environments support Node 20+
• CJS build removed - Only ESM builds are available (marked.esm.js and marked.umd.js)
• File structure changes - marked.min.js removed, replaced by lib/marked.umd.js
• Jest compatibility - May break Jest tests requiring transformIgnorePatterns configuration

v13.0.0+ Changes:

• HTML escaping moved from tokenizers to renderers
• New renderer API (though old API still works with compatibility mode)
• New token types added (TableRow, Checkbox, space tokens)

Impact on This Codebase:
Your current usage appears minimal and should work without changes. The code:

import { marked } from 'marked';
marked.setOptions({ breaks: true, gfm: true });
const html = marked.parse(processedDescription);

This is using the standard public API that remains stable across versions.

---

Potential Issues 🔍

1. Node.js Version Requirement:

   • ❗ Action Required: Verify all environments (local dev, CI/CD, production) are running Node.js v20 or higher
   • Check GitHub Actions workflows (.github/workflows/*.yml) for Node version specifications

2. Module System:

   • ✅ Your package.json already specifies "type": "module", so ESM-only builds are compatible
   • The import { marked } syntax will work correctly

3. Build Process:

   • Check if any build tools or bundlers rely on the old file structure
   • Astro should handle this correctly as a modern build tool

4. Type Safety:

   • The calendar page uses TypeScript (calendar.astro has type annotations)
   • Consider checking if marked's TypeScript definitions have any breaking changes

---

Performance Considerations 🚀

Improvements:

• Newer versions of marked generally include performance optimizations
• Better regex handling and parsing efficiency in recent versions
• Minified UMD build may be smaller/faster

No Performance Concerns:

• Marked is only used at build-time in Astro (static site generation)
• No runtime performance impact on end users
• The markdown parsing happens once during build, not on every page load

---

Security Concerns 🔒

Positive Security Aspects:

• Updating dependencies is good security hygiene
• Newer versions may include security patches from the past year
• The 5-year gap (v12 → v17) means many potential security fixes are included

Recommendations:

1. ✅ Review the security advisories for marked between v12 and v17
2. ⚠️ Your code pre-processes descriptions with regex before parsing - this custom sanitization should be reviewed
3. Consider using marked's built-in sanitization options if needed

Code Pattern to Review:

// Lines 76-96 in calendar.astro
processedDescription = description
  .replace(/\\([.\\-])/g, '$1')
  .replace(/(\bhttps?:\/\/[^\s\]]+)]\(([^)]+)\)/g, '$1 ]($2)')
  // ... many more regex replacements

This extensive pre-processing suggests potential issues with untrusted input. Consider whether all this is still necessary with v17's improved parsing.

---

Test Coverage ❌

Critical Issue:

• ❗ No automated tests found in the repository for the marked functionality
• No test files matching *.test.* or *.spec.* patterns

Recommendations:

1. High Priority: Add tests for the formatDescription() function in calendar.astro
2. Test the complex regex pre-processing logic
3. Add regression tests for markdown edge cases (malformed links, escaped characters, etc.)
4. Consider manual testing of the calendar page after deployment

Suggested Test Cases:

• Valid markdown with links, lists, and formatting
• Malformed markdown that your regex patterns fix
• Edge cases from the CS2AI URL patterns mentioned in comments
• HTML injection/XSS attempts

---

Action Items Before Merging

Required:

1. ✅ Verify Node.js v20+ in all environments
2. ⚠️ Manual test the calendar page with various event descriptions
3. ⚠️ Check GitHub Actions workflows for Node version compatibility

Recommended:

1. Add automated tests for markdown parsing functionality
2. Review and potentially simplify the pre-processing regex patterns
3. Check for any marked deprecation warnings in build output
4. Update documentation if there are any usage changes

Optional:

1. Consider gradual rollout or feature flag for the update
2. Review marked's changelog for new features you could leverage
3. Benchmark build time before/after to measure performance impact

---

Final Recommendation

Status: ⚠️ Approve with Conditions

The update is generally safe but requires verification:

• ✅ Code compatibility looks good
• ⚠️ Must verify Node.js v20+ requirement
• ❌ Lack of tests is concerning for a major version jump
• ⚠️ Manual testing recommended before deployment

Merge Decision:

• If you're confident Node 20+ is available everywhere and can manually test the calendar page → Safe to merge
• If you're unsure about environment compatibility → Test in staging first
• Long-term → Add automated tests to prevent regressions

---

💡 Pro Tip: Since this is Renovate-generated, you could also configure Renovate to auto-merge patch/minor updates while requiring manual review for major versions like this one.

[claude]

Pull Request Review: Update marked to v17

Thank you for the automated dependency update! I've reviewed this PR and have identified some important considerations.

Overview

This PR updates the marked library from v12.0.0 to v17.0.0 - a major version upgrade spanning 5 major versions with significant breaking changes.

---

Critical Issues

1. Node.js Version Incompatibility 🔴

Issue: Marked v16.0.0+ requires Node.js 20+, but your CI workflows use Node.js 18.

Location:

• azure-static-web-apps-ashy-field-00e5f470f.yml:29
• update-calendar.yml:21

Impact: This will cause build failures in CI/CD pipelines.

From marked v16 release notes:

update minimum supported node version to 20 to support require('marked.esm.js')

Recommendation: Update all GitHub Actions workflows to use Node.js 20:

- name: Setup Node.js
  uses: actions/setup-node@v3
  with:
    node-version: '20'

---

2. API Breaking Changes ⚠️

The upgrade includes several breaking changes that may affect your usage:

v13.0.0: New renderer API

• Renderers now receive token objects instead of multiple parameters
• useNewRenderer option introduced (now the default in v14+)
• Your code: Currently using marked.parse() at calendar.astro:99 - this should continue to work

v15.0.0: HTML escaping moved to renderers

• HTML is now escaped in renderers instead of tokenizers
• May affect how user-generated content is sanitized

v16.0.0: Module format changes

• Removed CommonJS build (./lib/marked.cjs)
• Removed ./marked.min.js (use ./lib/marked.umd.js instead)
• Your code: Uses ES module import (import { marked } from 'marked') - should be fine

---

Security Considerations

Positive Changes ✅

• Multiple bug fixes for markdown parsing edge cases (backticks, links, strikethrough)
• Improved HTML escaping in v15.0.0
• Better link handling with various fixes for malformed URLs and markdown syntax

Review Needed

Your calendar.astro file processes user-submitted event descriptions with extensive pre-processing (lines 76-96). The HTML escaping changes in v15 and v16 may interact differently with your custom URL cleaning logic.

---

Testing Requirements

Test Coverage Gap 🔴

• No automated tests found in the repository
• This major upgrade has no safety net to catch regressions

Manual Testing Checklist

Since the marked library is only used in src/pages/calendar.astro, you should manually test:

1. Basic markdown rendering:

   • Bold, italic, lists, links, code blocks

2. Edge cases your code handles (lines 76-96):

   • URLs with escaped characters
   • Malformed markdown links
   • URLs followed by markdown syntax
   • Double closing brackets
   • CS2AI-specific URL patterns

3. Event descriptions:

   • Verify existing events in calendar-events.json render correctly
   • Test with various markdown formatting combinations

4. XSS protection:

   • Ensure HTML in event descriptions is properly escaped
   • Test with potentially malicious input

Recommended Test Commands

npm run build          # Verify build succeeds
npm run preview        # Test the calendar page locally
npm run validate       # Ensure JSON validation passes

---

Performance Considerations

No performance concerns expected. The marked.parse() call is only executed during static site generation (SSG), not at runtime, so any performance changes won't impact end users.

---

Code Quality Assessment

Positive Aspects ✅

• Clean import usage: import { marked } from 'marked'
• Configuration is explicit: marked.setOptions({ breaks: true, gfm: true })
• Good error handling with try-catch and fallback (lines 110-116)

Concerns

• Complex pre-processing logic (lines 76-96) may conflict with new parser behavior
• No TypeScript types leveraged (marked v16.1.0+ has generic types for parser/renderer)

---

Recommendations

Before Merging

1. Update Node.js version to 20 in all CI workflows (required)
2. Test manually using the checklist above (critical)
3. Review calendar page with real event data
4. Check build logs for any deprecation warnings

Future Improvements

1. Add automated tests for markdown rendering
2. Consider TypeScript for better type safety
3. Document the complex URL pre-processing logic
4. Add integration tests for the calendar page

Alternative Approach

If this upgrade proves problematic, consider:

• Staying on v12 and reviewing what specific features/fixes you need from v17
• Upgrading incrementally (v12 → v13 → v14 → v15 → v16 → v17) to isolate issues

---

Summary

Block merge until:

• ✅ Node.js version updated to 20 in CI workflows
• ✅ Manual testing completed successfully

Overall Risk Level: MEDIUM-HIGH

• Major version jump with breaking changes
• No automated test coverage
• Complex custom markdown pre-processing

Recommendation: Update Node.js version first, then test thoroughly before merging.

---

Review completed by Claude Code following repository conventions from CLAUDE.md

[claude]

Pull Request Review: Update marked to v17

Summary

This PR updates the marked dependency from ^12.0.0 to ^17.0.0, a major version jump that includes several breaking changes and improvements.

---

Code Quality & Best Practices ✅

Positive aspects:

• Automated dependency update via Renovate keeps the codebase current
• Clear changelog provided with detailed release notes
• Proper semantic versioning followed

---

Breaking Changes Analysis ⚠️

The upgrade from v12 to v17 includes two major breaking changes that require attention:

1. Node.js Version Requirement (v16.0.0)

• Breaking: Minimum Node.js version increased to v20
• Impact: Verify CI/CD pipelines and deployment environments use Node.js 20+
• Action Required: Check GitHub Actions workflows and hosting provider Node version

2. CommonJS Removal (v16.0.0)

• Breaking: Removed ./lib/marked.cjs
• Breaking: Removed ./marked.min.js (replaced by ./lib/marked.umd.js)
• Impact: Your project uses ES modules (import { marked } from 'marked' in calendar.astro:7), so this is compatible ✅

3. New Renderer API (v13.0.0)

• Breaking: Renderers now receive token objects instead of multiple parameters
• Impact: The code only uses marked.parse() and marked.setOptions() - no custom renderers ✅
• Compatibility: Current usage in src/pages/calendar.astro:99 is safe

---

Current Usage Analysis 📋

The marked library is used in one location:

• File: src/pages/calendar.astro:7-117
• Usage:

  import { marked } from 'marked';
  
  marked.setOptions({
    breaks: true,
    gfm: true
  });
  
  const html = marked.parse(processedDescription);

Assessment: ✅ This usage pattern is fully compatible with v17. The API calls used (setOptions() and parse()) remain unchanged.

---

Security Considerations 🔒

Improvements in v17:

• v15.0.0: Enhanced HTML escaping moved to renderers for all tokens (security improvement)
• Multiple bug fixes: Including fixes for edge cases in link parsing, backtick handling, and markdown rendering

Recommendation: ✅ This update improves security by fixing multiple parsing edge cases that could lead to malformed HTML output.

---

Performance Considerations ⚡

Potential improvements:

• Numerous bug fixes in parsing logic may improve performance
• Better handling of complex markdown patterns (lists, tables, links)
• No significant performance regressions noted in release notes

Current implementation note: The formatDescription() function in calendar.astro:71-117 does extensive regex pre-processing before calling marked.parse(). This is unaffected by the upgrade.

---

Test Coverage ❌

Critical Issue:

• No automated tests found in the repository
• No test scripts in package.json
• Risk: Breaking changes cannot be validated automatically

Recommendations:

1. Manual testing required: Test calendar page rendering with various markdown descriptions

2. Test cases to verify:

   • Event descriptions with links
   • Markdown formatting (bold, italic, lists)
   • Special characters and escaped content
   • Edge cases in the extensive regex pre-processing (lines 76-96)

3. Future improvement: Add integration tests for markdown rendering

---

Migration Checklist 📝

Before merging:

• Verify Node.js version in CI/CD (GitHub Actions workflows in .github/workflows/)
• Verify Node.js version on hosting/deployment platform
• Manual testing: Visit /calendar page with events containing:
  • Regular markdown (bold, italic, links)
  • Complex links with brackets and parentheses
  • Lists (ordered and unordered)
  • Code blocks
  • URLs with special characters
• Check build process: npm run build completes successfully
• Check if any new deprecation warnings appear in console

---

Specific Risks to Monitor 🎯

Based on the release notes, watch for:

1. Link parsing changes (multiple fixes between v12-v17):

   • Links with brackets in inline code
   • URLs with non-breaking spaces
   • Escaped characters in link text
   • Your code has extensive link-fixing regex that may interact with these changes

2. HTML escaping changes (v15.0.0):

   • HTML is now escaped in renderers vs tokenizers
   • Verify set:html in calendar.astro:188,255 renders correctly

3. List rendering (multiple fixes):

   • Check multi-line list items in event descriptions

---

Recommendation 🎯

Conditional Approval - This upgrade is generally safe but requires verification:

✅ Safe to merge IF:

1. Node.js 20+ is available in all environments
2. Manual testing confirms calendar rendering works correctly
3. Build process completes without errors

⚠️ Before merging:

• Test on development/staging environment first
• Verify specific edge cases mentioned above
• Consider adding basic smoke tests for future updates

---

Additional Notes

• Changelog depth: The jump from v12 to v17 includes 30+ releases with numerous bug fixes
• Maintenance status: Library is actively maintained with regular security and bug fixes
• Dependencies: No new dependencies introduced, bundle size impact minimal

Would you like me to help create a test checklist or add integration tests for markdown rendering?

🤖 Review generated with Claude Code

[claude]

PR Review: Update dependency marked to v17

Summary

This PR updates marked from v12 to v17, which is a 5 major version jump with significant breaking changes.

---

Code Quality & Best Practices

Current Usage Analysis

The codebase uses marked in src/pages/calendar.astro:7-99 with:

• marked.setOptions({ breaks: true, gfm: true }) for configuration
• marked.parse(processedDescription) for Markdown to HTML conversion

This is a straightforward usage pattern that should be compatible with v17.

---

Breaking Changes Assessment

Critical Changes to Evaluate:

1. v16.0.0: Removed CJS build, minimum Node.js updated to 20

   • Impact: Verify CI/deployment Node.js version is >= 20

2. v15.0.0: HTML escaping moved from tokenizers to renderers

   • Impact: Low - No custom tokenizers/renderers in use

3. v14.0.0: Removed useNewRenderer option, renderer API changes

   • Impact: Low - No custom renderers in use

4. v13.0.0: Token objects passed to renderers instead of parameters

   • Impact: Low - Not using custom renderers

5. v17.0.0: Changes to list item rendering and checkbox tokens

   • Impact: Low - Event descriptions unlikely to have complex list/checkbox content

---

Potential Issues

High Priority

1. Node.js Version Requirement: v16+ requires Node.js 20+. Verify your GitHub Actions runners and deployment environment use Node.js >= 20.

Medium Priority

2. HTML Output Changes: The HTML output for lists and checkboxes may differ between v12 and v17. If event descriptions contain Markdown lists or checkboxes, visual output may change.

3. HTML Escaping Behavior: v15 moved escaping from tokenizers to renderers. Test that special characters in event descriptions render correctly.

---

Recommendations

Before Merging:

1. Verify Node.js version in:

   • GitHub Actions workflows (check .github/workflows/*.yml)
   • Any deployment/hosting environment (Vercel, Netlify, etc.)

2. Test the build locally:

   npm install
   npm run build
   npm run preview

3. Visual regression testing: Check the /calendar page with various event descriptions to ensure Markdown renders correctly, especially:

   • Links
   • Bold/italic text
   • Lists (if any)
   • Special characters

4. Check for runtime errors: The existing try-catch in formatDescription() should handle parsing errors gracefully, but verify no console errors appear.

---

Test Coverage

Testing Recommendations:

• Consider adding basic unit tests for the formatDescription() function with sample Markdown inputs
• This would help catch rendering regressions in future dependency updates

---

Security

• This is not a security-related update (separate from PR Update dependency astro to v5.15.9 [SECURITY] - autoclosed #156)
• marked v17 includes various bug fixes but no known security patches specific to this version range

---

Performance

• No significant performance concerns
• v16 changed to use esbuild for builds, which should maintain or improve performance

---

Verdict

Conditionally Approve - This PR is likely safe to merge given the simple usage pattern, but should be tested locally first. The main risk is the Node.js 20+ requirement.

Action Items:

1. Confirm Node.js >= 20 in all environments
2. Run local build and preview
3. Visually verify /calendar page rendering
4. Consider adding tests for formatDescription() (optional, for future safety)

---

🤖 Generated with Claude Code

[claude]

Pull Request Review: Update dependency marked to v17

Summary

This PR updates the marked library from v12.0.2 to v17.0.1, which is a 5 major version jump that includes several breaking changes. I've reviewed the changes and analyzed their impact on the codebase.

---

Code Quality & Best Practices

✅ Positive:

• The PR is from Renovate, which ensures systematic dependency updates
• Includes comprehensive release notes and changelog
• Lockfile is properly updated

⚠️ Concern:

• No corresponding code changes to address breaking changes
• Large version jump increases risk of subtle behavioral changes

---

Breaking Changes Analysis

Based on the release notes, here are the critical breaking changes from v12 to v17:

1. Node.js Version Requirement (v16.0.0)

• ❗ Breaking: Minimum Node.js version raised to 20
• Impact: Verify CI/CD pipelines and deployment environments use Node 20+

2. CommonJS Removal (v16.0.0)

• ❗ Breaking: ./lib/marked.cjs removed; only ESM and UMD builds available
• ✅ Current Usage: Project uses type: "module" in package.json, so this should be fine
• ⚠️ Jest Impact: If Jest is added later, will need transformIgnorePatterns: ['/node_modules/(?!(marked)/)']

3. Renderer API Changes (v13.0.0)

• ❗ Breaking: Renderers now receive token objects instead of individual parameters
• ✅ Current Usage: Code only uses marked.parse() and marked.setOptions(), not custom renderers
• ✅ Safe: Current implementation at src/pages/calendar.astro:99 should continue working

4. List Token Structure Changes (v17.0.0)

• ⚠️ Breaking: Changed how consecutive text tokens work in lists, checkbox tokens, and loose list handling
• 🔍 Current Usage: Event descriptions may contain lists with checkboxes
• ⚠️ Risk: If event descriptions have task lists, rendering may change

5. HTML Escaping Changes (v15.0.0)

• ⚠️ Breaking: HTML now escaped in renderers instead of tokenizers for all tokens
• 🔍 Current Usage: Event descriptions may contain HTML
• ⚠️ Risk: HTML in markdown descriptions may render differently

---

Current Usage Analysis

The marked library is used in one location: src/pages/calendar.astro:99

Current implementation:
```typescript
// Line 7: Import
import { marked } from 'marked';

// Lines 12-15: Configuration
marked.setOptions({
breaks: true, // Convert \n to

gfm: true // Enable GitHub Flavored Markdown
});

// Line 99: Usage
const html = marked.parse(processedDescription);
```

Analysis:

• ✅ Uses standard marked.parse() API (stable across versions)
• ✅ Uses marked.setOptions() with standard options (breaks, gfm)
• ✅ No custom renderers, tokenizers, or extensions
• ⚠️ Result type may change (now can be string or Promise)

---

Potential Issues

1. Type Safety

Location: src/pages/calendar.astro:102

```typescript
const htmlString = typeof html === 'string' ? html : String(html);
```

✅ Good: Code already handles non-string return values
⚠️ Suggestion: Consider whether this should handle Promise for async scenarios

2. HTML Rendering Changes

With the HTML escaping changes in v15, event descriptions containing HTML may render differently:

• HTML tags may be escaped instead of rendered
• Could affect descriptions with embedded links or formatting

3. List Rendering

Changes to list token structure in v17 may affect:

• Bullet lists in event descriptions
• Numbered lists
• Task lists with checkboxes

---

Security Considerations

✅ Positive Security Changes:

• v15.0.0 improved HTML escaping in renderers, reducing XSS risk
• Newer versions include multiple security-related bug fixes

⚠️ Recommendation:

• Review event descriptions after deployment to ensure no XSS vulnerabilities
• Current pre-processing regex patterns (lines 76-96) may need adjustment if HTML escaping behavior changes

---

Performance Considerations

📊 Performance Impact: Likely minimal

• marked is only used during static site generation (SSG), not at runtime
• Build time may be slightly affected (likely negligible)
• No client-side JavaScript impact

---

Test Coverage

❌ Critical Gap: No automated tests

• No test files found in the repository
• No test scripts in package.json
• Recommendation: Add manual testing checklist:
  1. ✅ Verify calendar page builds successfully
  2. ✅ Check event descriptions render correctly
  3. ✅ Test descriptions with:
     • Links (markdown and HTML)
     • Lists (bullet, numbered, task)
     • Bold/italic formatting
     • Code blocks
     • HTML entities

---

Recommendations

Before Merging:

1. ✅ Verify Node.js version in CI/CD and production (must be v20+)
2. ✅ Run build locally to ensure no errors:
   ```bash
   npm run build
   ```
3. ✅ Visual regression test: Compare calendar page before/after on preview deployment
4. ✅ Test edge cases: Event descriptions with complex markdown/HTML

After Merging:

1. Monitor production for any rendering issues with event descriptions
2. Consider adding tests for the `formatDescription()` function
3. Document the marked version and any customizations in CLAUDE.md

Future Improvements:

1. Add unit tests for `formatDescription()` function
2. Consider pinning to exact version instead of caret range if stability is critical
3. Add visual regression testing for calendar page

---

Approval Recommendation

⚠️ Conditional Approval - This PR can be merged after:

1. ✅ Confirming Node.js v20+ in all environments
2. ✅ Successful build test (`npm run build`)
3. ✅ Manual verification that calendar events render correctly

The current usage is simple enough that breaking changes should have minimal impact, but the lack of automated tests means manual verification is essential.

---

References

• Marked v17.0.0 Release Notes
• Marked v16.0.0 Breaking Changes
• Marked v13.0.0 Renderer Changes
• Current usage: `src/pages/calendar.astro:7,12,99`

[claude]

Pull Request Review: Update dependency marked to v17

Overview

This PR updates the marked library from v12.0.2 to v17.0.1, which represents a major version jump (5 major versions) with several breaking changes. The update is managed by Renovate bot.

Code Quality & Best Practices ✅

Positive aspects:

• Clean dependency update with proper lock file modifications
• Automated dependency management via Renovate is a good practice
• Version bump is properly reflected in both package.json and yarn.lock

Breaking Changes Analysis ⚠️

This update includes multiple breaking changes that need careful consideration:

v16.0.0 Breaking Changes (CRITICAL)

• Minimum Node.js version: Now requires Node v20+ (up from previous versions)
• CommonJS removal: ./lib/marked.cjs has been removed - only ESM exports available
• File structure changes: marked.min.js removed in favor of ./lib/marked.umd.js
• Jest compatibility: May break Jest tests if any exist (requires transformIgnorePatterns configuration)

v17.0.0 Breaking Changes

• Changes to how consecutive text tokens work in lists
• Simplified listItem renderer
• Checkbox token structure changes (added type and raw properties)
• Loose list text tokens changed to paragraph type in list tokenizer

v13.0.0 Breaking Changes

• Renderer API changes - tokens are now sent as objects to renderers instead of multiple parameters
• Space token added after blockquote and hr for multiple newlines
• May affect custom renderer extensions

Impact Assessment 🔍

Current Usage

The marked library is used in one location: src/pages/calendar.astro:99

Current implementation:

// Line 12-15
marked.setOptions({
  breaks: true,
  gfm: true
});

// Line 99
const html = marked.parse(processedDescription);

Good news: The code uses the modern API:

• ✅ Uses marked.parse() (not deprecated methods)
• ✅ Uses marked.setOptions() for configuration
• ✅ Basic usage that should be compatible with v17

Potential Issues & Concerns 🚨

1. Node.js Version Compatibility

• The project may need Node.js v20+ in CI/CD environments
• Check GitHub Actions workflows - currently using Node 18 in azure-static-web-apps-ashy-field-00e5f470f.yml:29
• ACTION REQUIRED: Update Node version in CI workflows to v20+

2. Markdown Rendering Changes

The changes to list rendering and text token handling could affect how event descriptions are rendered:

• Consecutive text tokens in lists work differently
• Checkbox tokens have new structure
• Loose list formatting may change

Recommendation: Test calendar page with various markdown formats, especially:

• Lists with checkboxes
• Consecutive text in list items
• Complex event descriptions with mixed formatting

3. Type Safety (Minor)

The code currently uses type coercion:

const htmlString = typeof html === 'string' ? html : String(html);

This suggests awareness that marked.parse() might not always return a string, which is still relevant in v17.

Security Concerns 🔒

Positive security aspects:

• The update includes numerous bug fixes that may address security issues
• Event descriptions are processed through marked before rendering (XSS protection through markdown parsing)

Areas of concern:

• Event descriptions use set:html in Astro, which renders raw HTML
• While markdown parsing provides some sanitization, malicious markdown could potentially create XSS vectors
• No explicit HTML sanitization layer beyond markdown parsing

Recommendation: Consider adding DOMPurify or similar HTML sanitizer for defense-in-depth, especially since event data comes from external RSS feeds.

Test Coverage 📊

Current state:

• ❌ No unit tests found in the repository
• ❌ No integration tests for markdown rendering
• ✅ CI pipeline runs JSON validation
• ✅ CI pipeline runs build process (implicit integration test)

Major concern: Without automated tests, it's difficult to verify that markdown rendering still works correctly after this major version upgrade.

Recommendation:

1. Manual testing of the calendar page with various event descriptions
2. Test events with:
   • Lists (ordered and unordered)
   • Checkboxes
   • Links, bold, italic text
   • Multi-paragraph descriptions
   • Code blocks

Performance Considerations ⚡

Positive changes:

• Modern versions typically include performance improvements
• Better tree-shaking with ESM-only builds may reduce bundle size

Potential concerns:

• None identified for this use case (simple markdown parsing at build time)

Recommendations 📋

Before Merging:

1. Update Node.js version in GitHub Actions workflows from 18 to 20
2. Manual testing of calendar page with various markdown formats
3. Review build logs for any warnings or deprecations
4. Check bundle size to ensure no unexpected increases

After Merging:

1. Monitor production for any rendering issues with event descriptions
2. Consider adding tests for markdown rendering functionality
3. Consider adding HTML sanitization layer for enhanced security

Optional Improvements:

• Add visual regression tests for calendar event rendering
• Document the markdown features supported in event descriptions
• Add validation for event description markdown format

Verdict 🎯

Status: ⚠️ Approve with Cautions

This is a legitimate dependency update that should be merged, but requires:

1. Node.js v20+ update in CI (mandatory)
2. Manual testing before merge (recommended)
3. Monitoring after deployment (recommended)

The breaking changes are significant, but the current usage is simple enough that compatibility should be maintained. The main risk is the Node.js version requirement and potential subtle changes in markdown rendering behavior.

---

Next Steps:

1. Update .github/workflows/azure-static-web-apps-ashy-field-00e5f470f.yml line 29 to use Node 20 or 22
2. Test build locally with npm run build
3. Verify calendar page renders correctly
4. Merge and monitor

---

Review generated by Claude Code - Automated PR Review

[claude]

Pull Request Review: Update dependency marked to v17

Overview

This PR updates the marked library from v12.0.0 to v17.0.1, a major version jump that includes multiple breaking changes and bug fixes.

---

Code Quality & Best Practices ✅

Positive aspects:

• Clean dependency update via Renovate bot with proper semantic versioning
• The changes are isolated to dependency files only (package.json and yarn.lock)
• Current usage of marked in the codebase is simple and follows best practices

---

Critical Issues 🚨

1. Node.js Version Incompatibility ⚠️

Severity: HIGH

The project is currently using Node.js 18 in GitHub Actions workflows (.github/workflows/azure-static-web-apps-ashy-field-00e5f470f.yml:29), but marked v16.0.0+ requires Node.js 20+ as a minimum.

Breaking change from marked v16.0.0:

update minimum supported node version to 20

Impact:

• The build will likely fail in CI/CD pipelines
• Local development may fail for contributors using Node.js < 20

Required action:

• Update all GitHub Actions workflows to use Node.js 20 or higher
• Update any documentation specifying Node.js version requirements

---

Potential Bugs 🐛

1. List Rendering Changes ⚠️

Severity: LOW-MEDIUM

Marked v17.0.0 introduced breaking changes to list tokenization. The code uses marked to parse event descriptions in src/pages/calendar.astro:99. If any event descriptions contain lists, the HTML output may change.

Recommendation:

• Review any event descriptions in calendar-events.json that contain Markdown lists
• Manually test rendering before and after to verify visual consistency

---

Security Concerns 🔒

Assessment: LOW RISK ✅

The changes include important security-related fixes:

• Multiple bug fixes related to parsing edge cases (escaped characters, malformed links, etc.)
• Improved HTML escaping in renderers

---

Test Coverage 🧪

Current state: NO TESTS FOUND ⚠️

The repository appears to have no automated tests for the markdown rendering functionality.

Recommendations:

• Add basic integration tests for the formatDescription() function
• Add visual regression tests for the calendar page
• Add smoke tests to CI

---

Migration Checklist 📋

Before merging this PR:

• Upgrade Node.js to version 20+ in all GitHub Actions workflows
• Test locally with Node.js 20 to ensure builds work
• Review event descriptions in calendar-events.json for any markdown lists
• Manually test the calendar page rendering after the upgrade

---

Overall Recommendation

Status: ⚠️ NEEDS WORK BEFORE MERGING

While the dependency update itself is valuable (bug fixes, improved parsing), the Node.js version incompatibility is a blocker. The project must upgrade to Node.js 20+ before this can be safely merged.

Suggested approach:

1. Create a separate PR to upgrade Node.js to version 20 in all workflows
2. Test the Node.js upgrade thoroughly
3. Merge the Node.js upgrade PR first
4. Then rebase and merge this marked upgrade PR

---

Additional Resources:

• Marked v17 Release Notes
• Marked v16 Breaking Changes

[github-actions]

Azure Static Web Apps: Your stage site is ready! Visit it here: https://ashy-field-00e5f470f-155.eastus2.6.azurestaticapps.net

[github-actions]

Azure Static Web Apps: Your stage site is ready! Visit it here: https://ashy-field-00e5f470f-155.eastus2.6.azurestaticapps.net

[github-actions]

Azure Static Web Apps: Your stage site is ready! Visit it here: https://ashy-field-00e5f470f-155.eastus2.6.azurestaticapps.net

[github-actions]

Azure Static Web Apps: Your stage site is ready! Visit it here: https://ashy-field-00e5f470f-155.eastus2.6.azurestaticapps.net

[github-actions]

Azure Static Web Apps: Your stage site is ready! Visit it here: https://ashy-field-00e5f470f-155.eastus2.6.azurestaticapps.net