Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
mdast-util-gfm-autolink-literal
Advanced tools
mdast extension to parse and serialize GFM autolink literals
The mdast-util-gfm-autolink-literal npm package is a utility to support GitHub Flavored Markdown (GFM) autolink literals in mdast syntax trees. It helps parse and serialize autolink literals like URLs and email addresses directly in Markdown documents, making them clickable links without additional markup.
Parsing GFM Autolink Literals
This code sample demonstrates how to set up a processor using Unified with the remark-parse and remark-gfm plugins, enhanced by mdast-util-gfm-autolink-literal to automatically parse URLs written in plain text as autolink literals in the Markdown document.
import { unified } from 'unified';
import markdown from 'remark-parse';
import gfm from 'remark-gfm';
import gfmAutolinkLiteral from 'mdast-util-gfm-autolink-literal';
const processor = unified()
.use(markdown)
.use(gfm)
.use(gfmAutolinkLiteral);
const tree = processor.parse('See https://example.com for more info.');
console.log(tree);
This package is a plugin for remark that supports all GFM features, including autolinks, tables, strikethrough, and task lists. It is broader in scope compared to mdast-util-gfm-autolink-literal, which specifically focuses on autolink literals.
Similar to mdast-util-gfm-autolink-literal, this package is a micromark extension to parse and serialize GFM autolink literals. It serves a similar purpose but is used in the micromark ecosystem, which is the underlying system for remark.
mdast extensions to parse and serialize GFM autolink literals.
This package contains two extensions that add support for GFM autolink literals
syntax in markdown to mdast.
These extensions plug into
mdast-util-from-markdown
(to support parsing
GFM autolinks in markdown into a syntax tree) and
mdast-util-to-markdown
(to support serializing
GFM autolinks in syntax trees to markdown).
GitHub employs different algorithms to autolink: one at parse time and one at
transform time (similar to how @mentions
are done at transform time).
This difference can be observed because character references and escapes are
handled differently.
But also because issues/PRs/comments omit (perhaps by accident?) the second
algorithm for www.
, http://
, and https://
links (but not for email links).
As the corresponding micromark extension
micromark-extension-gfm-autolink-literal
is a syntax extension,
it can only perform the first algorithm.
The tree extension gfmAutolinkLiteralFromMarkdown
from this package can
perform the second algorithm, and as they are combined, both are done.
You can use these extensions when you are working with
mdast-util-from-markdown
and mdast-util-to-markdown
already.
When working with mdast-util-from-markdown
, you must combine this package
with
micromark-extension-gfm-autolink-literal
.
When you don’t need a syntax tree, you can use micromark
directly with micromark-extension-gfm-autolink-literal
.
When you are working with syntax trees and want all of GFM, use
mdast-util-gfm
instead.
All these packages are used remark-gfm
, which
focusses on making it easier to transform content by abstracting these
internals away.
This utility does not handle how markdown is turned to HTML.
That’s done by mdast-util-to-hast
.
This package is ESM only. In Node.js (version 16+), install with npm:
npm install mdast-util-gfm-autolink-literal
In Deno with esm.sh
:
import {gfmAutolinkLiteralFromMarkdown, gfmAutolinkLiteralToMarkdown} from 'https://esm.sh/mdast-util-gfm-autolink-literal@2'
In browsers with esm.sh
:
<script type="module">
import {gfmAutolinkLiteralFromMarkdown, gfmAutolinkLiteralToMarkdown} from 'https://esm.sh/mdast-util-gfm-autolink-literal@2?bundle'
</script>
Say our document example.md
contains:
www.example.com, https://example.com, and contact@example.com.
…and our module example.js
looks as follows:
import fs from 'node:fs/promises'
import {gfmAutolinkLiteral} from 'micromark-extension-gfm-autolink-literal'
import {fromMarkdown} from 'mdast-util-from-markdown'
import {
gfmAutolinkLiteralFromMarkdown,
gfmAutolinkLiteralToMarkdown
} from 'mdast-util-gfm-autolink-literal'
import {toMarkdown} from 'mdast-util-to-markdown'
const doc = await fs.readFile('example.md')
const tree = fromMarkdown(doc, {
extensions: [gfmAutolinkLiteral()],
mdastExtensions: [gfmAutolinkLiteralFromMarkdown()]
})
console.log(tree)
const out = toMarkdown(tree, {extensions: [gfmAutolinkLiteralToMarkdown()]})
console.log(out)
…now running node example.js
yields (positional info removed for brevity):
{
type: 'root',
children: [
{
type: 'paragraph',
children: [
{
type: 'link',
title: null,
url: 'http://www.example.com',
children: [{type: 'text', value: 'www.example.com'}]
},
{type: 'text', value: ', '},
{
type: 'link',
title: null,
url: 'https://example.com',
children: [{type: 'text', value: 'https://example.com'}]
},
{type: 'text', value: ', and '},
{
type: 'link',
title: null,
url: 'mailto:contact@example.com',
children: [{type: 'text', value: 'contact@example.com'}]
},
{type: 'text', value: '.'}
]
}
]
}
[www.example.com](http://www.example.com), <https://example.com>, and <contact@example.com>.
This package exports the identifiers
gfmAutolinkLiteralFromMarkdown
and
gfmAutolinkLiteralToMarkdown
.
There is no default export.
gfmAutolinkLiteralFromMarkdown()
Create an extension for mdast-util-from-markdown
to enable GFM autolink literals in markdown.
Extension for mdast-util-to-markdown
to enable GFM autolink literals
(FromMarkdownExtension
).
gfmAutolinkLiteralToMarkdown()
Create an extension for mdast-util-to-markdown
to
enable GFM autolink literals in markdown.
Extension for mdast-util-to-markdown
to enable GFM autolink literals
(ToMarkdownExtension
).
This utility does not handle how markdown is turned to HTML.
That’s done by mdast-util-to-hast
.
See Syntax in micromark-extension-gfm-autolink-literal
.
There are no interfaces added to mdast by this utility, as it reuses the existing Link interface.
This package is fully typed with TypeScript. It does not export additional types.
The Link
type of the mdast nodes is exposed from @types/mdast
.
Projects maintained by the unified collective are compatible with maintained versions of Node.js.
When we cut a new major release, we drop support for unmaintained versions of
Node.
This means we try to keep the current release line,
mdast-util-gfm-autolink-literal@^2
, compatible with Node.js 16.
This utility works with mdast-util-from-markdown
version 2+ and
mdast-util-to-markdown
version 2+.
remarkjs/remark-gfm
— remark plugin to support GFMsyntax-tree/mdast-util-gfm
— same but all of GFM (autolink literals, footnotes, strikethrough, tables,
tasklists)micromark/micromark-extension-gfm-autolink-literal
— micromark extension to parse GFM autolink literalsSee contributing.md
in syntax-tree/.github
for
ways to get started.
See support.md
for ways to get help.
This project has a code of conduct. By interacting with this repository, organization, or community you agree to abide by its terms.
FAQs
mdast extension to parse and serialize GFM autolink literals
We found that mdast-util-gfm-autolink-literal demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.