Update dependency katex to v0.16.21 [SECURITY] (v7.0/forgejo) (#6693)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [katex](https://katex.org) ([source](https://github.com/KaTeX/KaTeX)) | dependencies | patch | [`0.16.10` -> `0.16.21`](https://renovatebot.com/diffs/npm/katex/0.16.10/0.16.21) |

---

### KaTeX \htmlData does not validate attribute names
[CVE-2025-23207](https://nvd.nist.gov/vuln/detail/CVE-2025-23207) / [GHSA-cg87-wmx4-v546](https://github.com/advisories/GHSA-cg87-wmx4-v546)

<details>
<summary>More information</summary>

#### Details
##### Impact
KaTeX users who render untrusted mathematical expressions with `renderToString` could encounter malicious input using `\htmlData` that runs arbitrary JavaScript, or generate invalid HTML.

##### Patches
Upgrade to KaTeX v0.16.21 to remove this vulnerability.

##### Workarounds
- Avoid use of or turn off the `trust` option, or set it to forbid `\htmlData` commands.
- Forbid inputs containing the substring `"\\htmlData"`.
- Sanitize HTML output from KaTeX.

##### Details
`\htmlData` did not validate its attribute name argument, allowing it to generate invalid or malicious HTML that runs scripts.

##### For more information
If you have any questions or comments about this advisory:

- Open an issue or security advisory in the [KaTeX repository](https://github.com/KaTeX/KaTeX/)
- Email us at [katex-security@mit.edu](mailto:katex-security@mit.edu)

#### Severity
- CVSS Score: 6.3 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L`

#### References
- [https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cg87-wmx4-v546](https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cg87-wmx4-v546)
- [https://nvd.nist.gov/vuln/detail/CVE-2025-23207](https://nvd.nist.gov/vuln/detail/CVE-2025-23207)
- [ff289955e8)
- [https://github.com/KaTeX/KaTeX](https://github.com/KaTeX/KaTeX)

This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-cg87-wmx4-v546) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>KaTeX/KaTeX (katex)</summary>

### [`v0.16.21`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01621-2025-01-17)

[Compare Source](https://github.com/KaTeX/KaTeX/compare/v0.16.20...v0.16.21)

##### Bug Fixes

-   escape \htmlData attribute name ([57914ad](57914ad91e))

### [`v0.16.20`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01620-2025-01-12)

[Compare Source](https://github.com/KaTeX/KaTeX/compare/v0.16.19...v0.16.20)

##### Bug Fixes

-   \providecommand does not overwrite existing macro ([#&#8203;4000](https://github.com/KaTeX/KaTeX/issues/4000)) ([6d30fe4](6d30fe47b0)), closes [#&#8203;3928](https://github.com/KaTeX/KaTeX/issues/3928)

### [`v0.16.19`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01619-2024-12-29)

[Compare Source](https://github.com/KaTeX/KaTeX/compare/v0.16.18...v0.16.19)

##### Bug Fixes

-   **types:** improve `strict` function type ([#&#8203;4009](https://github.com/KaTeX/KaTeX/issues/4009)) ([4228b4e](4228b4eb52))

### [`v0.16.18`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01618-2024-12-18)

[Compare Source](https://github.com/KaTeX/KaTeX/compare/v0.16.17...v0.16.18)

##### Bug Fixes

-   Actually publish TypeScript type definitions ([#&#8203;4008](https://github.com/KaTeX/KaTeX/issues/4008)) ([629b873](629b87354f))

### [`v0.16.17`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01617-2024-12-17)

[Compare Source](https://github.com/KaTeX/KaTeX/compare/v0.16.16...v0.16.17)

##### Bug Fixes

-   MathML combines multidigit numbers with sup/subscript, comma separators, and multicharacter text when outputting to DOM ([#&#8203;3999](https://github.com/KaTeX/KaTeX/issues/3999)) ([7d79e22](7d79e220f4)), closes [#&#8203;3995](https://github.com/KaTeX/KaTeX/issues/3995)

### [`v0.16.16`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01616-2024-12-17)

[Compare Source](https://github.com/KaTeX/KaTeX/compare/v0.16.15...v0.16.16)

##### Features

-   ESM exports, TypeScript types ([#&#8203;3992](https://github.com/KaTeX/KaTeX/issues/3992)) ([ea9c173](ea9c173a0d))

### [`v0.16.15`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01615-2024-12-09)

[Compare Source](https://github.com/KaTeX/KaTeX/compare/v0.16.14...v0.16.15)

##### Features

-   italic sans-serif in math mode via `\mathsfit` command ([#&#8203;3998](https://github.com/KaTeX/KaTeX/issues/3998)) ([2218901](22189018b6))

### [`v0.16.14`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01614-2024-12-08)

[Compare Source](https://github.com/KaTeX/KaTeX/compare/v0.16.13...v0.16.14)

##### Features

-   \dddot and \ddddot support ([#&#8203;3834](https://github.com/KaTeX/KaTeX/issues/3834)) ([bda35cd](bda35cdb0a)), closes [#&#8203;2744](https://github.com/KaTeX/KaTeX/issues/2744)

### [`v0.16.13`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01613-2024-12-08)

[Compare Source](https://github.com/KaTeX/KaTeX/compare/v0.16.12...v0.16.13)

##### Bug Fixes

-   `\vdots` and `\rule` support in text mode ([#&#8203;3997](https://github.com/KaTeX/KaTeX/issues/3997)) ([0e08352](0e08352623)), closes [#&#8203;3990](https://github.com/KaTeX/KaTeX/issues/3990)

### [`v0.16.12`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01612-2024-12-08)

[Compare Source](https://github.com/KaTeX/KaTeX/compare/v0.16.11...v0.16.12)

##### Features

-   **css:** configurable margin for display math ([#&#8203;3638](https://github.com/KaTeX/KaTeX/issues/3638)) ([3405001](3405001225))

### [`v0.16.11`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01611-2024-07-02)

[Compare Source](https://github.com/KaTeX/KaTeX/compare/v0.16.10...v0.16.11)

##### Features

-   add \emph ([#&#8203;3963](https://github.com/KaTeX/KaTeX/issues/3963)) ([9f34da4](9f34da4b3c)), closes [#&#8203;3566](https://github.com/KaTeX/KaTeX/issues/3566)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - "* 0-3 * * *" (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xMzYuMCIsInVwZGF0ZWRJblZlciI6IjM5LjEzNi4wIiwidGFyZ2V0QnJhbmNoIjoidjcuMC9mb3JnZWpvIiwibGFiZWxzIjpbImRlcGVuZGVuY3ktdXBncmFkZSIsInRlc3Qvbm90LW5lZWRlZCJdfQ==-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6693
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>

package-lock.json

@@ -31,7 +31,7 @@
         "htmx.org": "1.9.11",
         "idiomorph": "0.3.0",
         "jquery": "3.7.1",
-        "katex": "0.16.10",
+        "katex": "0.16.21",
         "license-checker-webpack-plugin": "0.2.1",
         "mermaid": "10.9.3",
         "mini-css-extract-plugin": "2.8.1",
@@ -7654,13 +7654,14 @@
       "integrity": "sha512-b+z6yF1d4EOyDgylzQo5IminlUmzSeqR1hs/bzjBNjuGras4FXq/6TrzjxfN0j+TmI0ltJzTNlqXUMCniciwKQ=="
     },
     "node_modules/katex": {
-      "version": "0.16.10",
-      "resolved": "https://registry.npmjs.org/katex/-/katex-0.16.10.tgz",
-      "integrity": "sha512-ZiqaC04tp2O5utMsl2TEZTXxa6WSC4yo0fv5ML++D3QZv/vx2Mct0mTlRx3O+uUkjfuAgOkzsCmq5MiUEsDDdA==",
+      "version": "0.16.21",
+      "resolved": "https://registry.npmjs.org/katex/-/katex-0.16.21.tgz",
+      "integrity": "sha512-XvqR7FgOHtWupfMiigNzmh+MgUVmDGU2kXZm899ZkPfcuoPuFxyHmXsgATDpFZDAXCI8tvinaVcDo8PIIJSo4A==",
       "funding": [
         "https://opencollective.com/katex",
         "https://github.com/sponsors/katex"
       ],
+      "license": "MIT",
       "dependencies": {
         "commander": "^8.3.0"
       },

package.json

@@ -30,7 +30,7 @@
     "htmx.org": "1.9.11",
     "idiomorph": "0.3.0",
     "jquery": "3.7.1",
-    "katex": "0.16.10",
+    "katex": "0.16.21",
     "license-checker-webpack-plugin": "0.2.1",
     "mermaid": "10.9.3",
     "mini-css-extract-plugin": "2.8.1",