Update dependency pygments to v2.20.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
pygments (changelog)	==2.18.0 → ==2.20.0

GitHub Vulnerability Alerts

CVE-2026-4539

A security flaw has been discovered in pygments before 2.20.0. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

---

Release Notes

pygments/pygments (pygments)

v2.20.0

Compare Source

(released March 29th, 2026)

• New lexers:

  • Rell (#​2914)

• Updated lexers:

  • archetype: Fix catastrophic backtracking in GUID and ID patterns (#​3064)
  • ASN.1: Recognize minus sign and fix range operator (#​3014, #​3060)
  • C++: Add C++26 keywords (#​2955), add integer literal suffixes (#​2966)
  • ComponentPascal: Fix analyse_text (#​3028, #​3032)
  • Coq renamed to Rocq (#​2883, #​2908)
  • Cython: Various improvements (#​2932, #​2933)
  • Debian control: Improve architecture parsing (#​3052)
  • Devicetree: Add support for overlay/fragments (#​3021), add bytestring support (#​3022), fix catastrophic backtracking (#​3057)
  • Fennel: Various improvements (#​2911)
  • Haskell: Handle escape sequences in character literals (#​3069, #​1795)
  • Java: Add module keywords (#​2955)
  • Lean4: Add operators ]', ]?, ]! (#​2946)
  • LESS: Support single-line comments (#​3005)
  • LilyPond: Update to 2.25.29 (#​2974)
  • LLVM: Support C-style comments (#​3023, #​2978)
  • Lua(u): Fix catastrophic backtracking (#​3047)
  • Macaulay2: Update to 1.25.05 (#​2893), 1.25.11 (#​2988)
  • Mathematica: Various improvements (#​2957)
  • meson: Add additional operators (#​2919)
  • MySQL: Update keywords (#​2970)
  • org-Mode: Support both schedule and deadline (#​2899)
  • PHP: Add __PROPERTY__ magic constant (#​2924), add reserved keywords (#​3002)
  • PostgreSQL: Add more keywords (#​2985)
  • protobuf: Fix namespace tokenization (#​2929)
  • Python: Add t-string support (#​2973, #​3009, #​3010)
  • Tablegen: Fix infinite loop (#​2972, #​2940)
  • Tera Term macro: Add commands introduced in v5.3 through v5.6 (#​2951)
  • TOML: Support TOML 1.1.0 (#​3026, #​3027)
  • Turtle: Allow empty comment lines (#​2980)
  • XML: Added .xbrl as file ending (#​2890, #​2891)

• Drop Python 3.8, and add Python 3.14 as a supported version (#​2987, #​3012)

• Various improvements to autopygmentize (#​2894)

• Update onedark style to support more token types (#​2977)

• Update rtt style to support more token types (#​2895)

• Cache entry points to improve performance (#​2979)

• Fix xterm-256 color table (#​3043)

• Fix kwargs dictionary getting mutated on each call (#​3044)

v2.19.2

Compare Source

(released June 21st, 2025)

• Lua: Fix regression introduced in 2.19.0 (#​2882, #​2839)

v2.19.1

Compare Source

(released January 6th, 2025)

• Updated lexers:

  • Ini: Fix quoted string regression introduced in 2.19.0
  • Lua: Fix a regression introduced in 2.19.0

v2.19.0

Compare Source

(released January 5th, 2025)

• New lexers:

  • CodeQL (#​2819)
  • Debian Sources (#​2788, #​2747)
  • Gleam (#​2662)
  • GoogleSQL (#​2820, #​2814)
  • JSON5 (#​2734, #​1880)
  • Maple (#​2763, #​2548)
  • NumbaIR (#​2433)
  • PDDL (#​2799, #​2616)
  • Rego (#​2794)
  • TableGen (#​2751)
  • Vue.js (#​2832)

• Updated lexers:

  • BQN: Various improvements (#​2789)
  • C#: Fix number highlighting (#​986, #​2727), add file keyword (#​2726, #​2805, #​2806), add various other keywords (#​2745, #​2770)
  • CSS: Add revert (#​2766, #​2775)
  • Debian control: Add Change-By field (#​2757)
  • Elip: Improve punctuation handling (#​2651)
  • Igor: Add int (#​2801)
  • Ini: Fix quoted strings with embedded comment characters (#​2767, #​2720)
  • Java: Support functions returning types containing a question mark (#​2737)
  • JavaScript: Support private identiiers (#​2729, #​2671)
  • LLVM: Add splat, improve floating-point number parsing (#​2755)
  • Lua: Improve variable detection, add built-in functions (#​2829)
  • Macaulay2: Update to 1.24.11 (#​2800)
  • PostgreSQL: Add more EXPLAIN keywords (#​2785), handle / (#​2774)
  • S-Lexer: Fix keywords (#​2082, #​2750)
  • TransactSQL: Fix single-line comments (#​2717)
  • Turtle: Fix triple quoted strings (#​2744, #​2758)
  • Typst: Various improvements (#​2724)
  • Various: Add ^ as an operator to Matlab, Octave and Scilab (#​2798)
  • Vyper: Add staticcall and extcall (#​2719)

• Mark file extensions for HTML/XML+Evoque as aliases (#​2743)
• Add a color for Operator.Word to the rrt style (#​2709)
• Fix broken link in the documentation (#​2803, #​2804)
• Drop executable bit where not needed (#​2781)
• Reduce Mojo priority relative to Python in analyze_text (#​2771, #​2772)
• Fix documentation builds (#​2712)
• Match example file names to the lexer's name (#​2713, #​2715)
• Ensure lexer metadata is present (#​2714)
• Search more directories on macOS for fonts (#​2809)
• Improve test robustness (#​2812)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.