Security News
Deno 2.6 + Socket: Supply Chain Defense In Your CLI
Deno 2.6 introduces deno audit with a new --socket flag that plugs directly into Socket to bring supply chain security checks into the Deno CLI.
By Sarah GoodingΒ - Β Dec 12, 2025
π¨ Shai-Hulud Strikes Again:834 Packages Compromised.Technical Analysis β
fstmd
Artifacts are distributable versions of a package. It typically includes the source code and metadata
Advanced tools
- Version
- 1.0.0
- Maintainers
- 1
FSTMD - Finite-State Markdown Engine
A pure Finite State Transducer (FST) Markdown to HTML converter for Python 3.13+.
Features
- β‘ O(N) Single-Pass Processing - No backtracking, no regex, no AST
- π Security First - XSS prevention with proper HTML escaping
- π― Zero Dependencies - Pure Python, no external packages required
- π Type Safe - Full type annotations, mypy strict compatible
- π Python 3.13+ Optimized - Uses latest Python features
Installation
pip install fstmd
Or install from source:
git clone https://github.com/fstmd/fstmd.git
cd fstmd
pip install -e .
Quick Start
from fstmd import Markdown
# Create a parser (safe mode by default)
md = Markdown(mode="safe")
# Render Markdown to HTML
html = md.render("**Hello** *world*")
print(html)
# Output: <p><strong>Hello</strong> <em>world</em></p>
Supported Markdown Features
| Feature | Syntax | Output |
|---|---|---|
| Bold | **text** | <strong>text</strong> |
| Italic | *text* | <em>text</em> |
| Bold+Italic | ***text*** | <strong><em>text</em></strong> |
| Headings | # H1 to ###### H6 | <h1> to <h6> |
| Unordered Lists | - item | <ul><li>item</li></ul> |
| Paragraphs | Blank line separated | <p>...</p> |
API Reference
Markdown Class
from fstmd import Markdown
# Safe mode (default) - escapes all HTML
md = Markdown(mode="safe")
# Raw mode - passes through HTML (use with trusted input only!)
md = Markdown(mode="raw")
# Strict mode - raises exceptions on security issues
md = Markdown(mode="safe", strict=True)
# Render markdown
html = md.render("# Hello **World**")
# Always render safely, regardless of instance mode
safe_html = md.render_safe("<script>alert(1)</script>")
Convenience Functions
from fstmd.parser import render, render_unsafe
# Quick render with caching
html = render("**bold**")
# Render without escaping (dangerous!)
html = render_unsafe("<b>raw html</b>")
Security
FSTMD is designed with security as a primary concern:
Safe Mode (Default)
All HTML special characters are escaped:
<β<>β>&β&"β"'β'
md = Markdown(mode="safe")
result = md.render("<script>alert('xss')</script>")
# Output: <p><script>alert('xss')</script></p>
Dangerous Pattern Detection
The library detects and can reject:
<script>tagsjavascript:URLsvbscript:URLsdata:URLs (except safe image types)
Architecture
Finite State Transducer Design
FSTMD uses a Mealy Machine (FST) where output is generated during state transitions.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β INLINE FST STATES β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββ '*' ββββββββββββ '*' ββββββββββββ β
β β TEXT βββββββββββββΊβ STAR_ONE ββββββββββββΊβ STAR_TWO β β
β βββββ¬ββββ ββββββ¬ββββββ ββββββ¬ββββββ β
β β β β β
β β other β other β other β
β βΌ βΌ βΌ β
β output char start italic start bold β
β β
β βββββββββββββ ββββββββββββββ β
β β IN_ITALIC ββββββββββ STAR_ONE β (from TEXT with '*') β
β βββββββ¬ββββββ ββββββββββββββ β
β β '*' β
β βΌ β
β ββββββββββββββββ β
β β close italic ββββββΊ output </em>, goto TEXT β
β ββββββββββββββββ β
β β
β ββββββββββββ βββββββββββββββββ β
β β IN_BOLD βββββββββββ STAR_TWO β (from STAR_ONE) β
β ββββββ¬ββββββ βββββββββββββββββ β
β β '**' β
β βΌ β
β βββββββββββββββ β
β β close bold ββββββββββΊ output </strong> β
β βββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Block-Level FST
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β BLOCK FST STATES β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββ β
β β START β ββββββββββββββββββββββββββββββββββββββββββββββ β
β ββββββ¬ββββββ β β
β β β β
β βββββ΄ββββ '#' ββββββββββββ β β
β β LINE ββββββββββββΊβ HEADING ββββΊ count #'s, emit <hN> β β
β β START β ββββββββββββ β β
β βββββ¬ββββ β β
β β β β
β β '-' βββββββββββββββββ β β
β βββββββββββΊβ LIST_ITEM ββββΊ emit <li> β β
β β βββββββββββββββββ β β
β β β β
β β '\n' βββββββββββββββββ β β
β βββββββββββΊβ BLANK_LINE ββββΊ close paragraph β β
β β βββββββββββββββββ β β
β β β β
β β other βββββββββββββββββ β β
β βββββββββββΊβ PARAGRAPH ββββΊ emit <p> β β
β βββββββββββββββββ β β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Key Design Decisions
- Two-Character Lookahead Maximum - Disambiguates
*vs**vs*** - No Backtracking - All decisions are final
- Output During Transitions - Mealy machine produces output as it processes
- Immutable State Definitions - States are enums, transitions are cached
Performance
Complexity Guarantees
| Operation | Time Complexity | Space Complexity |
|---|---|---|
| Parse | O(N) | O(N) |
| Per character | O(1) | O(1) |
Benchmarks
Tested on Python 3.13 with a medium-sized document (~500 chars):
| Library | Avg Time (ms) | Throughput | Relative |
|---|---|---|---|
| FSTMD | 0.05 | 10M chars/sec | 1.0x |
| markdown-it-py | 0.15 | 3.3M chars/sec | 0.33x |
| Python-Markdown | 0.30 | 1.7M chars/sec | 0.17x |
| CommonMark-Py | 0.35 | 1.4M chars/sec | 0.14x |
Note: Benchmarks vary by hardware and document structure.
Run benchmarks yourself:
from fstmd.benchmarks import run_benchmarks, print_benchmark_results
results = run_benchmarks()
print_benchmark_results(results)
Limitations
FSTMD focuses on speed and simplicity. It does not support:
- Code blocks (fenced or indented)
- Block quotes
- Ordered lists
- Links and images
- Tables
- Footnotes
- HTML pass-through in safe mode
For full CommonMark compliance, use markdown-it-py.
Development
Setup
# Clone the repository
git clone https://github.com/fstmd/fstmd.git
cd fstmd
# Install with dev dependencies
pip install -e ".[dev]"
# Run tests
pytest
# Type checking
mypy fstmd
# Linting
ruff check fstmd
Project Structure
fstmd/
βββ __init__.py # Package exports
βββ __main__.py # CLI entry point
βββ parser.py # High-level Markdown class
βββ exceptions.py # Custom exceptions
βββ core/
β βββ __init__.py
β βββ fsm.py # Main FST engine
β βββ states.py # State definitions
β βββ transitions.py # Transition table
β βββ safe_html.py # HTML escaping
βββ benchmarks/
β βββ __init__.py
β βββ runner.py # Benchmark utilities
βββ tests/
βββ conftest.py
βββ test_inline.py
βββ test_blocks.py
βββ test_security.py
βββ test_fsm.py
βββ test_integration.py
Building and Publishing
Build
# Install build tools
pip install build twine
# Build distribution
python -m build
# Check the build
twine check dist/*
Publish to PyPI
# Upload to TestPyPI first
twine upload --repository testpypi dist/*
# Upload to PyPI
twine upload dist/*
Contributing
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch
- Add tests for new functionality
- Ensure all tests pass (
pytest) - Ensure type checking passes (
mypy fstmd) - Ensure linting passes (
ruff check fstmd) - Submit a pull request
License
MIT License - see LICENSE file.
Acknowledgments
Inspired by:
- markdown-it - Architecture insights
- peg-markdown - PEG-based parsing ideas
- Automata theory and FST research
Made with β€οΈ for fast, secure Markdown parsing.
FAQs
Finite-State Markdown Engine - O(N) single-pass Markdown to HTML converter using pure FST
We found that fstmd demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago.Β It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
New React Server Components Vulnerabilities: DoS and Source Code Exposure
New DoS and source code exposure bugs in React Server Components and Next.js: whatβs affected and how to update safely.
By Sarah GoodingΒ - Β Dec 12, 2025
Security News
Software Engineering Daily Podcast: Feross on AI, Open Source, and Supply Chain Risk
Socket CEO Feross Aboukhadijeh joins Software Engineering Daily to discuss modern software supply chain attacks and rising AI-driven security risks.
By Sarah GoodingΒ - Β Dec 11, 2025