Update dependency katex to v0.16.21 [SECURITY] (v7.0/forgejo) (#6693)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [katex](https://katex.org) ([source](https://github.com/KaTeX/KaTeX)) | dependencies | patch | [`0.16.10` -> `0.16.21`](https://renovatebot.com/diffs/npm/katex/0.16.10/0.16.21) |

---

### KaTeX \htmlData does not validate attribute names
[CVE-2025-23207](https://nvd.nist.gov/vuln/detail/CVE-2025-23207) / [GHSA-cg87-wmx4-v546](GHSA-cg87-wmx4-v546)

<details>
<summary>More information</summary>

#### Details
##### Impact
KaTeX users who render untrusted mathematical expressions with `renderToString` could encounter malicious input using `\htmlData` that runs arbitrary JavaScript, or generate invalid HTML.

##### Patches
Upgrade to KaTeX v0.16.21 to remove this vulnerability.

##### Workarounds
- Avoid use of or turn off the `trust` option, or set it to forbid `\htmlData` commands.
- Forbid inputs containing the substring `"\\htmlData"`.
- Sanitize HTML output from KaTeX.

##### Details
`\htmlData` did not validate its attribute name argument, allowing it to generate invalid or malicious HTML that runs scripts.

##### For more information
If you have any questions or comments about this advisory:

- Open an issue or security advisory in the [KaTeX repository](https://github.com/KaTeX/KaTeX/)
- Email us at [[email protected]](mailto:[email protected])

#### Severity
- CVSS Score: 6.3 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L`

#### References
- [https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cg87-wmx4-v546](https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cg87-wmx4-v546)
- [https://nvd.nist.gov/vuln/detail/CVE-2025-23207](https://nvd.nist.gov/vuln/detail/CVE-2025-23207)
- [https://github.com/KaTeX/KaTeX/commit/ff289955e81aab89086eef09254cbf88573d415c](https://github.com/KaTeX/KaTeX/commit/ff289955e81aab89086eef09254cbf88573d415c)
- [https://github.com/KaTeX/KaTeX](https://github.com/KaTeX/KaTeX)

This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-cg87-wmx4-v546) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>KaTeX/KaTeX (katex)</summary>

### [`v0.16.21`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01621-2025-01-17)

[Compare Source](KaTeX/KaTeX@v0.16.20...v0.16.21)

##### Bug Fixes

-   escape \htmlData attribute name ([57914ad](KaTeX/KaTeX@57914ad))

### [`v0.16.20`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01620-2025-01-12)

[Compare Source](KaTeX/KaTeX@v0.16.19...v0.16.20)

##### Bug Fixes

-   \providecommand does not overwrite existing macro ([#&#8203;4000](KaTeX/KaTeX#4000)) ([6d30fe4](KaTeX/KaTeX@6d30fe4)), closes [#&#8203;3928](KaTeX/KaTeX#3928)

### [`v0.16.19`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01619-2024-12-29)

[Compare Source](KaTeX/KaTeX@v0.16.18...v0.16.19)

##### Bug Fixes

-   **types:** improve `strict` function type ([#&#8203;4009](KaTeX/KaTeX#4009)) ([4228b4e](KaTeX/KaTeX@4228b4e))

### [`v0.16.18`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01618-2024-12-18)

[Compare Source](KaTeX/KaTeX@v0.16.17...v0.16.18)

##### Bug Fixes

-   Actually publish TypeScript type definitions ([#&#8203;4008](KaTeX/KaTeX#4008)) ([629b873](KaTeX/KaTeX@629b873))

### [`v0.16.17`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01617-2024-12-17)

[Compare Source](KaTeX/KaTeX@v0.16.16...v0.16.17)

##### Bug Fixes

-   MathML combines multidigit numbers with sup/subscript, comma separators, and multicharacter text when outputting to DOM ([#&#8203;3999](KaTeX/KaTeX#3999)) ([7d79e22](KaTeX/KaTeX@7d79e22)), closes [#&#8203;3995](KaTeX/KaTeX#3995)

### [`v0.16.16`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01616-2024-12-17)

[Compare Source](KaTeX/KaTeX@v0.16.15...v0.16.16)

##### Features

-   ESM exports, TypeScript types ([#&#8203;3992](KaTeX/KaTeX#3992)) ([ea9c173](KaTeX/KaTeX@ea9c173))

### [`v0.16.15`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01615-2024-12-09)

[Compare Source](KaTeX/KaTeX@v0.16.14...v0.16.15)

##### Features

-   italic sans-serif in math mode via `\mathsfit` command ([#&#8203;3998](KaTeX/KaTeX#3998)) ([2218901](KaTeX/KaTeX@2218901))

### [`v0.16.14`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01614-2024-12-08)

[Compare Source](KaTeX/KaTeX@v0.16.13...v0.16.14)

##### Features

-   \dddot and \ddddot support ([#&#8203;3834](KaTeX/KaTeX#3834)) ([bda35cd](KaTeX/KaTeX@bda35cd)), closes [#&#8203;2744](KaTeX/KaTeX#2744)

### [`v0.16.13`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01613-2024-12-08)

[Compare Source](KaTeX/KaTeX@v0.16.12...v0.16.13)

##### Bug Fixes

-   `\vdots` and `\rule` support in text mode ([#&#8203;3997](KaTeX/KaTeX#3997)) ([0e08352](KaTeX/KaTeX@0e08352)), closes [#&#8203;3990](KaTeX/KaTeX#3990)

### [`v0.16.12`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01612-2024-12-08)

[Compare Source](KaTeX/KaTeX@v0.16.11...v0.16.12)

##### Features

-   **css:** configurable margin for display math ([#&#8203;3638](KaTeX/KaTeX#3638)) ([3405001](KaTeX/KaTeX@3405001))

### [`v0.16.11`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01611-2024-07-02)

[Compare Source](KaTeX/KaTeX@v0.16.10...v0.16.11)

##### Features

-   add \emph ([#&#8203;3963](KaTeX/KaTeX#3963)) ([9f34da4](KaTeX/KaTeX@9f34da4)), closes [#&#8203;3566](KaTeX/KaTeX#3566)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - "* 0-3 * * *" (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xMzYuMCIsInVwZGF0ZWRJblZlciI6IjM5LjEzNi4wIiwidGFyZ2V0QnJhbmNoIjoidjcuMC9mb3JnZWpvIiwibGFiZWxzIjpbImRlcGVuZGVuY3ktdXBncmFkZSIsInRlc3Qvbm90LW5lZWRlZCJdfQ==-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6693
Reviewed-by: Gusted <[email protected]>
Co-authored-by: Renovate Bot <[email protected]>
Co-committed-by: Renovate Bot <[email protected]>

Author: Renovate Bot

package-lock.json

@@ -30,7 +30,7 @@
     "htmx.org": "1.9.11",
     "idiomorph": "0.3.0",
     "jquery": "3.7.1",
-    "katex": "0.16.10",
+    "katex": "0.16.21",
     "license-checker-webpack-plugin": "0.2.1",
     "mermaid": "10.9.3",
     "mini-css-extract-plugin": "2.8.1",