small, safe, and great commonmark (optionally gfm) compliant markdown parser
Installations
npm install micromark-util-sanitize-uri
Releases
micromark-util-subtokenize@2.0.3
Published on 19 Nov 2024
4.0.1
Published on 12 Nov 2024
micromark-core-commonmark@2.0.1
Published on 23 Apr 2024
micromark-util-subtokenize@2.0.1
Published on 16 Apr 2024
micromark-util-character@2.1.0
Published on 28 Jan 2024
micromark-util-decode-numeric-character-reference@2.0.1
Published on 27 Oct 2023
Developer
Developer Guide
Module System
ESM
Min. Node Version
Typescript Support
Yes
Node Version
23.1.0
NPM Version
10.9.0
Statistics
1,828 Stars
639 Commits
65 Forks
14 Watching
2 Branches
27 Contributors
Updated on 27 Nov 2024
Languages
JavaScript (100%)
Total Downloads
Cumulative downloads
Total Downloads
442,457,492
Last day
0.7%
1,410,785
Compared to previous day
Last week
6.2%
7,473,290
Compared to previous week
Last month
16.2%
30,388,524
Compared to previous month
Last year
121.8%
271,659,747
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
The smallest CommonMark compliant markdown parser. With positional info and concrete tokens.
Feature highlights
- compliant (100% to CommonMark)
- extensions (100% GFM, 100% MDX.js, directives, frontmatter, math)
- safe (by default)
- robust (±2k tests, 100% coverage, fuzz testing)
- small (smallest CM parser at ±14kb)
Contents
- When should I use this?
- What is this?
- Install
- Use
- API
- Extensions
- Architecture
- Examples
- Markdown
- Project
When should I use this?
- If you just want to turn markdown into HTML (with maybe a few extensions)
- If you want to do really complex things with markdown
See § Comparison for more info
What is this?
micromark
is an open source markdown parser written in JavaScript.
It’s implemented as a state machine that emits concrete tokens, so that every
byte is accounted for, with positional info.
It then compiles those tokens directly to HTML, but other tools can take the
data and for example build an AST which is easier to work with
(mdast-util-to-markdown
).
While most markdown parsers work towards compliancy with CommonMark (or GFM),
this project goes further by following how the reference parsers (cmark
,
cmark-gfm
) work, which is confirmed with thousands of extra tests.
Other than CommonMark and GFM, micromark also supports common extensions to markdown such as MDX, math, and frontmatter.
These npm packages have a sibling project in Rust:
markdown-rs
.
- to learn markdown, see this cheatsheet and tutorial
- for more about us, see
unifiedjs.com
- for updates, see Twitter
- for questions, see Discussions
- to help, see contribute and sponsor below
Install
This package is ESM only. In Node.js (version 16+), install with npm:
1npm install micromark
In Deno with esm.sh
:
1import {micromark} from 'https://esm.sh/micromark@3'
In browsers with esm.sh
:
1<script type="module"> 2 import {micromark} from 'https://esm.sh/micromark@3?bundle' 3</script>
Use
Typical use (buffering):
1import {micromark} from 'micromark' 2 3console.log(micromark('## Hello, *world*!'))
Yields:
1<h2>Hello, <em>world</em>!</h2>
You can pass extensions (in this case micromark-extension-gfm
):
1import {micromark} from 'micromark' 2import {gfmHtml, gfm} from 'micromark-extension-gfm' 3 4const value = '* [x] contact@example.com ~~strikethrough~~' 5 6const result = micromark(value, { 7 extensions: [gfm()], 8 htmlExtensions: [gfmHtml()] 9}) 10 11console.log(result)
Yields:
1<ul> 2<li><input checked="" disabled="" type="checkbox"> <a href="mailto:contact@example.com">contact@example.com</a> <del>strikethrough</del></li> 3</ul>
Streaming interface:
1import {createReadStream} from 'node:fs' 2import {stream} from 'micromark/stream' 3 4createReadStream('example.md') 5 .on('error', handleError) 6 .pipe(stream()) 7 .pipe(process.stdout) 8 9function handleError(error) { 10 // Handle your error here! 11 throw error 12}
API
See § API in the micromark
readme.
Extensions
micromark supports extensions.
There are two types of extensions for micromark:
SyntaxExtension
,
which change how markdown is parsed, and HtmlExtension
,
which change how it compiles.
They can be passed in options.extensions
or
options.htmlExtensions
, respectively.
As a user of extensions, refer to each extension’s readme for more on how to use them. As a (potential) author of extensions, refer to § Extending markdown and § Creating a micromark extension.
List of extensions
micromark/micromark-extension-directive
— support directives (generic extensions)micromark/micromark-extension-frontmatter
— support frontmatter (YAML, TOML, etc)micromark/micromark-extension-gfm
— support GFM (GitHub Flavored Markdown)micromark/micromark-extension-gfm-autolink-literal
— support GFM autolink literalsmicromark/micromark-extension-gfm-footnote
— support GFM footnotesmicromark/micromark-extension-gfm-strikethrough
— support GFM strikethroughmicromark/micromark-extension-gfm-table
— support GFM tablesmicromark/micromark-extension-gfm-tagfilter
— support GFM tagfiltermicromark/micromark-extension-gfm-task-list-item
— support GFM tasklistsmicromark/micromark-extension-math
— support mathmicromark/micromark-extension-mdx
— support MDXmicromark/micromark-extension-mdxjs
— support MDX.jsmicromark/micromark-extension-mdx-expression
— support MDX (or MDX.js) expressionsmicromark/micromark-extension-mdx-jsx
— support MDX (or MDX.js) JSXmicromark/micromark-extension-mdx-md
— support misc MDX changesmicromark/micromark-extension-mdxjs-esm
— support MDX.js import/exports
Community extensions
wataru-chocola/micromark-extension-definition-list
— support definition lists
SyntaxExtension
A syntax extension is an object whose fields are typically the names of hooks, referring to where constructs “hook” into. The fields at such objects are character codes, mapping to constructs as values.
The built in constructs are an example. See it and existing extensions for inspiration.
HtmlExtension
An HTML extension is an object whose fields are typically enter
or exit
(reflecting whether a token is entered or exited).
The values at such objects are names of tokens mapping to handlers.
See existing extensions for inspiration.
Extending markdown
micromark lets you change markdown syntax, yes, but there are alternatives. The alternatives are often better.
Over the years, many micromark and remark users have asked about their unique goals for markdown. Some exemplary goals are:
- I want to add
rel="nofollow"
to external links - I want to add links from headings to themselves
- I want line breaks in paragraphs to become hard breaks
- I want to support embedded music sheets
- I want authors to add arbitrary attributes
- I want authors to mark certain blocks with meaning, such as tip, warning, etc
- I want to combine markdown with JS(X)
- I want to support our legacy flavor of markdown-like syntax
These can be solved in different ways and which solution is best is both subjective and dependent on unique needs. Often, there is already a solution in the form of an existing remark or rehype plugin. Respectively, their solutions are:
remark-external-links
rehype-autolink-headings
remark-breaks
- custom plugin similar to
rehype-katex
but integratingabcjs
- either
remark-directive
and a custom plugin or withrehype-attr
remark-directive
combined with a custom plugin- combining the existing micromark MDX extensions however you please, such as
done by
mdx-js/mdx
orxdm
- Writing a micromark extension
Looking at these from a higher level, they can be categorized:
-
Changing the output by transforming syntax trees (1 and 2)
This category is nice as the format remains plain markdown that authors are already familiar with and which will work with existing tools and platforms.
Implementations will deal with the syntax tree (
mdast
) and the ecosystems remark and rehype. There are many existing utilities for working with that tree. Many remark plugins and rehype plugins also exist. -
Using and abusing markdown to add new meaning (3, 4, potentially 5)
This category is similar to Changing the output by transforming syntax trees, but adds a new meaning to certain things which already have semantics in markdown.
Some examples in pseudocode:
1* **A list item with the first paragraph bold** 2 3 And then more content, is turned into `<dl>` / `<dt>` / `<dd>` elements 4 5Or, the title attributes on links or images is [overloaded](/url 'rel:nofollow') 6with a new meaning. 7 8```csv 9fenced,code,can,include,data 10which,is,turned,into,a,graph 11``` 12 13```js data can="be" passed=true 14// after the code language name 15``` 16 17HTML, especially comments, could be used as **markers**<!--id="markers"-->
-
Arbitrary extension mechanism (potentially 5; 6)
This category is nice when content should contain embedded “components”. Often this means it’s required for authors to have some programming experience. There are three good ways to solve arbitrary extensions.
HTML: Markdown already has an arbitrary extension syntax. It works in most places and authors are already familiar with the syntax, but it’s reasonably hard to implement securely. Certain platforms will remove HTML completely, others sanitize it to varying degrees. HTML also supports custom elements. These could be used and enhanced by client side JavaScript or enhanced when transforming the syntax tree.
Generic directives: although a proposal and not supported on most platforms, directives do work with many tools already. They’re not the easiest to author compared to, say, a heading, but sometimes that’s okay. They do have potential: they nicely solve the need for an infinite number of potential extensions to markdown in a single markdown-esque way.
MDX also adds support for components by swapping HTML out for JS(X). JSX is an extension to JavaScript, so MDX is something along the lines of literate programming. This does require knowledge of React (or Vue) and JavaScript, excluding some authors.
-
Extending markdown syntax (7 and 8)
Extend the syntax of markdown means:
- Authors won’t be familiar with the syntax
- Content won’t work in other places (such as on GitHub)
- Defeating the purpose of markdown: being simple to author and looking like what it means
…and it’s hard to do as it requires some in-depth knowledge of JavaScript and parsing. But it’s possible and in certain cases very powerful.
Creating a micromark extension
This section shows how to create an extension for micromark that parses “variables” (a way to render some data) and one to turn a default construct off.
Stuck? See
support.md
.
Prerequisites
- You should possess an intermediate to high understanding of JavaScript: it’s going to get a bit complex
- Read the readme of unified (until you hit the API section) to better understand where micromark fits
- Read the § Architecture section to understand how micromark works
- Read the § Extending markdown section to understand whether it’s a good idea to extend the syntax of markdown
Extension basics
micromark supports two types of extensions. Syntax extensions change how markdown is parsed. HTML extensions change how it compiles.
HTML extensions are not always needed, as micromark is often used through
mdast-util-from-markdown
to parse to a markdown
syntax tree.
So instead of an HTML extension a from-markdown
utility is needed.
Then, a mdast-util-to-markdown
utility, which is
responsible for serializing syntax trees to markdown, is also needed.
When developing something for internal use only, you can pick and choose which
parts you need.
When open sourcing your extensions, it should probably contain four parts:
syntax extension, HTML extension, from-markdown
utility, and a to-markdown
utility.
On to our first case!
Case: variables
Let’s first outline what we want to make: render some data, similar to how Liquid and the like work, in our markdown. It could look like this:
1Hello, {planet}!
Turned into:
1<p>Hello, Venus!</p>
An opening curly brace, followed by one or more characters, and then a closing
brace.
We’ll then look up planet
in some object and replace the variable with its
corresponding value, to get something like Venus
out.
It looks simple enough, but with markdown there are often a couple more things to think about. For this case, I can see the following:
- Is there a “block” version too?
- Are spaces allowed? Line endings? Should initial and final white space be ignored?
- Balanced nested braces?
Superfluous ones such as
{{planet}}
or meaningful ones such as{a {pla} net}
? - Character escapes (
{pla\}net}
) and character references ({pla}net}
)?
To keep things as simple as possible, let’s not support a block syntax, see spaces as special, support line endings, or support nested braces. But to learn interesting things, we will support character escapes and -references.
Note that this particular case is already solved quite nicely by
micromark-extension-mdx-expression
.
It’s a bit more powerful and does more things, but it can be used to solve this
case and otherwise serve as inspiration.
Setup
Create a new folder, enter it, and set up a new package:
1mkdir example 2cd example 3npm init -y
In this example we’ll use ESM, so add type: 'module'
to package.json
:
1@@ -2,6 +2,7 @@ 2 "name": "example", 3 "version": "1.0.0", 4 "description": "", 5+ "type": "module", 6 "main": "index.js", 7 "scripts": { 8 "test": "echo \"Error: no test specified\" && exit 1"
Add a markdown file, example.md
, with the following text:
1Hello, {planet}! 2 3{pla\}net} and {pla}net}.
To check if our extension works, add an example.js
module, with the following
code:
1import fs from 'node:fs/promises' 2import {micromark} from 'micromark' 3import {variables} from './index.js' 4 5const buf = await fs.readFile('example.md') 6const out = micromark(buf, {extensions: [variables]}) 7console.log(out)
While working on the extension, run node example
to see whether things work.
Feel free to add more examples of the variables syntax in example.md
if
needed.
Our extension doesn’t work yet, for one because micromark
is not installed:
1npm install micromark --save-dev
…and we need to write our extension.
Let’s do that in index.js
:
1export const variables = {}
Although our extension doesn’t do anything, running node example
now somewhat
works!
Syntax extension
Much in micromark is based on character codes (see § Preprocess). For this extension, the relevant codes are:
-5
— M-0005 CARRIAGE RETURN (CR)-4
— M-0004 LINE FEED (LF)-3
— M-0003 CARRIAGE RETURN LINE FEED (CRLF)null
— EOF (end of the stream)92
— U+005C BACKSLASH (\
)123
— U+007B LEFT CURLY BRACE ({
)125
— U+007D RIGHT CURLY BRACE (}
)
Also relevant are the content types (see § Content types). This extension is a text construct, as it’s parsed alongsides links and such. The content inside it (between the braces) is string, to support character escapes and -references.
Let’s write our extension.
Add the following code to index.js
:
1const variableConstruct = {name: 'variable', tokenize: variableTokenize} 2 3export const variables = {text: {123: variableConstruct}} 4 5function variableTokenize(effects, ok, nok) { 6 return start 7 8 function start(code) { 9 console.log('start:', effects, code); 10 return nok(code) 11 } 12}
The above code exports an extension with the identifier variables
.
The extension defines a text construct for the character code 123
.
The construct has a name
, so that it can be turned off (optional, see next
case), and it has a tokenize
function that sets up a state machine, which
receives effects
and the ok
and nok
states.
ok
can be used when successful, nok
when not, and so constructs are a bit
similar to how promises can resolve or reject.
tokenize
returns the initial state, start
, which itself receives the current
character code, prints some debugging information, and then returns a call
to nok
.
Ensure that things work by running node example
and see what it prints.
Now we need to define our states and figure out how variables work. Some people prefer sketching a diagram of the flow. I often prefer writing it down in pseudo-code prose. I’ve also found that test driven development works well, where I write unit tests for how it should work, then write the state machine, and finally use a code coverage tool to ensure I’ve thought of everything.
In prose, what we have to code looks like this:
- start:
Receive
123
ascode
, enter a token for the whole (let’s call itvariable
), enter a token for the marker (variableMarker
), consumecode
, exit the marker token, enter a token for the contents (variableString
), switch to begin - begin:
If
code
is125
, reconsume in nok. Else, reconsume in inside - inside:
If
code
is-5
,-4
,-3
, ornull
, reconsume innok
. Else, ifcode
is125
, exit the string token, enter avariableMarker
, consumecode
, exit the marker token, exit the variable token, and switch to ok. Else, consume, and remain in inside.
That should be it!
Replace variableTokenize
with the following to include the needed states:
1function variableTokenize(effects, ok, nok) { 2 return start 3 4 function start(code) { 5 effects.enter('variable') 6 effects.enter('variableMarker') 7 effects.consume(code) 8 effects.exit('variableMarker') 9 effects.enter('variableString') 10 return begin 11 } 12 13 function begin(code) { 14 return code === 125 ? nok(code) : inside(code) 15 } 16 17 function inside(code) { 18 if (code === -5 || code === -4 || code === -3 || code === null) { 19 return nok(code) 20 } 21 22 if (code === 125) { 23 effects.exit('variableString') 24 effects.enter('variableMarker') 25 effects.consume(code) 26 effects.exit('variableMarker') 27 effects.exit('variable') 28 return ok 29 } 30 31 effects.consume(code) 32 return inside 33 } 34}
Run node example
again and see what it prints!
The HTML compiler ignores things it doesn’t know, so variables are now removed.
We have our first syntax extension, and it sort of works, but we don’t handle
character escapes and -references yet.
We need to do two things to make that work:
a) skip over \\
and \}
in our algorithm,
b) tell micromark to parse them.
Change the code in index.js
to support escapes like so:
1@@ -23,6 +23,11 @@ function variableTokenize(effects, ok, nok) { 2 return nok(code) 3 } 4 5+ if (code === 92) { 6+ effects.consume(code) 7+ return insideEscape 8+ } 9+ 10 if (code === 125) { 11 effects.exit('variableString') 12 effects.enter('variableMarker') 13@@ -35,4 +40,13 @@ function variableTokenize(effects, ok, nok) { 14 effects.consume(code) 15 return inside 16 } 17+ 18+ function insideEscape(code) { 19+ if (code === 92 || code === 125) { 20+ effects.consume(code) 21+ return inside 22+ } 23+ 24+ return inside(code) 25+ } 26 }
Finally add support for character references and character escapes between braces by adding a special token that defines a content type:
1@@ -11,6 +11,7 @@ function variableTokenize(effects, ok, nok) { 2 effects.consume(code) 3 effects.exit('variableMarker') 4 effects.enter('variableString') 5+ effects.enter('chunkString', {contentType: 'string'}) 6 return begin 7 } 8 9@@ -29,6 +30,7 @@ function variableTokenize(effects, ok, nok) { 10 } 11 12 if (code === 125) { 13+ effects.exit('chunkString') 14 effects.exit('variableString') 15 effects.enter('variableMarker') 16 effects.consume(code)
Tokens with a contentType
will be replaced by postprocess (see
§ Postprocess) by the tokens belonging to that content type.
HTML extension
Up next is an HTML extension to replace variables with data.
Change example.js
to use one like so:
1@@ -1,11 +1,12 @@ 2 import fs from 'node:fs/promises' 3 import {micromark} from 'micromark' 4-import {variables} from './index.js' 5+import {variablesHtml, variables} from './index.js' 6 7 const buf = await fs.readFile('example.md') 8-const out = micromark(buf, {extensions: [variables]}) 9+const html = variablesHtml({planet: '1', 'pla}net': '2'}) 10+const out = micromark(buf, {extensions: [variables], htmlExtensions: [html]}) 11 console.log(out)
And add the HTML extension, variablesHtml
, to index.js
like so:
1@@ -52,3 +52,19 @@ function variableTokenize(effects, ok, nok) { 2 return inside(code) 3 } 4 } 5+ 6+export function variablesHtml(data = {}) { 7+ return { 8+ enter: {variableString: enterVariableString}, 9+ exit: {variableString: exitVariableString}, 10+ } 11+ 12+ function enterVariableString() { 13+ this.buffer() 14+ } 15+ 16+ function exitVariableString() { 17+ var id = this.resume() 18+ if (id in data) { 19+ this.raw(this.encode(data[id])) 20+ } 21+ } 22+}
variablesHtml
is a function that receives an object mapping “variables” to
strings and returns an HTML extension.
The extension hooks two functions to variableString
, one when it starts,
the other when it ends.
We don’t need to do anything to handle the other tokens as they’re already
ignored by default.
enterVariableString
calls buffer
, which is a function that “stashes” what
would otherwise be emitted.
exitVariableString
calls resume
, which is the inverse of buffer
and
returns the stashed value.
If the variable is defined, we ensure it’s made safe (with this.encode
) and
finally output that (with this.raw
).
Further exercises
It works! We’re done! Of course, it can be better, such as with the following potential features:
- Add support for empty variables
- Add support for spaces between markers and string
- Add support for line endings in variables
- Add support for nested braces
- Add support for blocks
- Add warnings on undefined variables
- Use
micromark-build
, and usedevlop
,debug
, andmicromark-util-symbol
(see § Size & debug) - Add
mdast-util-from-markdown
andmdast-util-to-markdown
utilities to parse and serialize the AST
Case: turn off constructs
Sometimes it’s needed to turn a default construct off. That’s possible through a syntax extension. Note that not everything can be turned off (such as paragraphs) and even if it’s possible to turn something off, it could break micromark (such as character escapes).
To disable constructs, refer to them by name in an array at the disable.null
field of an extension:
1import {micromark} from 'micromark' 2 3const extension = {disable: {null: ['codeIndented']}} 4 5console.log(micromark('\ta', {extensions: [extension]}))
Yields:
1<p>a</p>
Architecture
micromark is maintained as a monorepo.
Many of its internals, which are used in micromark
(core) but also useful for
developers of extensions or integrations, are available as separate modules.
Each module maintained here is available in packages/
.
Overview
The naming scheme in packages/
is as follows:
micromark-build
— Small CLI to build dev code into production codemicromark-core-commonmark
— CommonMark constructs used in micromarkmicromark-factory-*
— Reusable subroutines used to parse parts of constructsmicromark-util-*
— Reusable helpers often needed when parsing markdownmicromark
— Core module
micromark has two interfaces: buffering (maintained in
micromark/dev/index.js
)
and streaming (maintained in
micromark/dev/stream.js
).
The first takes all input at once whereas the last uses a Node.js stream to take
input separately.
They thinly wrap how data flows through micromark:
1 micromark
2+-----------------------------------------------------------------------------------------------+
3| +------------+ +-------+ +-------------+ +---------+ |
4| -markdown->+ preprocess +-chunks->+ parse +-events->+ postprocess +-events->+ compile +-html- |
5| +------------+ +-------+ +-------------+ +---------+ |
6+-----------------------------------------------------------------------------------------------+
Preprocess
The preprocessor
(micromark/dev/lib/preprocess.js
)
takes markdown and turns it into chunks.
A chunk is either a character code or a slice of a buffer in the form of a
string.
Chunks are used because strings are more efficient storage than character codes,
but limited in what they can represent.
For example, the input ab\ncd
is represented as ['ab', -4, 'cd']
in chunks.
A character code is often the same as what String#charCodeAt()
yields but
micromark adds meaning to certain other values.
In micromark, the actual character U+0009 CHARACTER TABULATION (HT) is replaced
by one M-0002 HORIZONTAL TAB (HT) and between 0 and 3 M-0001 VIRTUAL SPACE (VS)
characters, depending on the column at which the tab occurred.
For example, the input \ta
is represented as [-2, -1, -1, -1, 97]
and a\tb
as [97, -2, -1, -1, 98]
in character codes.
The characters U+000A LINE FEED (LF) and U+000D CARRIAGE RETURN (CR) are
replaced by virtual characters depending on whether they occur together: M-0003
CARRIAGE RETURN LINE FEED (CRLF), M-0004 LINE FEED (LF), and M-0005 CARRIAGE
RETURN (CR).
For example, the input a\r\nb\nc\rd
is represented as
[97, -5, 98, -4, 99, -3, 100]
in character codes.
The 0
(U+0000 NUL) character code is replaced by U+FFFD REPLACEMENT CHARACTER
(�
).
The null
code represents the end of the input stream (called eof for end of
file).
Parse
The parser
(micromark/dev/lib/parse.js
)
takes chunks and turns them into events.
An event is the start or end of a token amongst other events. Tokens can “contain” other tokens, even though they are stored in a flat list, by entering before and exiting after them.
A token is a span of one or more codes.
Tokens are most of what micromark produces: the built in HTML compiler or other
tools can turn them into different things.
Tokens are essentially names attached to a slice, such as lineEndingBlank
for
certain line endings, or codeFenced
for a whole fenced code.
Sometimes, more info is attached to tokens, such as _open
and _close
by
attention
(strong, emphasis) to signal whether the sequence can open or close
an attention run.
These fields have to do with how the parser works, which is complex and not
always pretty.
Certain fields (previous
, next
, and contentType
) are used in many cases:
linked tokens for subcontent.
Linked tokens are used because outer constructs are parsed first.
Take for example:
1- *a 2 b*.
- The list marker and the space after it is parsed first
- The rest of the line is a
chunkFlow
token - The two spaces on the second line are a
linePrefix
of the list - The rest of the line is another
chunkFlow
token
The two chunkFlow
tokens are linked together and the chunks they span are
passed through the flow tokenizer.
There the chunks are seen as chunkContent
and passed through the content
tokenizer.
There the chunks are seen as a paragraph and seen as chunkText
and passed
through the text tokenizer.
Finally, the attention (emphasis) and data (“raw” characters) is parsed there,
and we’re done!
Content types
The parser starts out with a document tokenizer. Document is the top-most content type, which includes containers such as block quotes and lists. Containers in markdown come from the margin and include more constructs on the lines that define them.
Flow represents the sections (block constructs such as ATX and setext
headings, HTML, indented and fenced code, thematic breaks), which like
document are also parsed per line.
An example is HTML, which has a certain starting condition (such as <script>
on its own line), then continues for a while, until an end condition is found
(such as </style>
).
If that line with an end condition is never found, that flow goes until the end.
Content is zero or more definitions, and then zero or one paragraph. It’s a weird one, and needed to make certain edge cases around definitions spec compliant. Definitions are unlike other things in markdown, in that they behave like text in that they can contain arbitrary line endings, but have to end at a line ending. If they end in something else, the whole definition instead is seen as a paragraph.
The content in markdown first needs to be parsed up to this level to figure out which things are defined, for the whole document, before continuing on with text, as whether a link or image reference forms or not depends on whether it’s defined. This unfortunately prevents a true streaming markdown parser.
Text contains phrasing content (rich inline text: autolinks, character escapes and -references, code, hard breaks, HTML, images, links, emphasis, strong).
String is a limited text-like content type which only allows character references and character escapes. It exists in things such as identifiers (media references, definitions), titles, or URLs and such.
Constructs
Constructs are the things that make up markdown. Some examples are lists, thematic breaks, or character references.
Note that, as a general rule of thumb, markdown is really weird. It’s essentially made up of edge cases rather than logical rules. When browsing the built in constructs, or venturing to build your own, you’ll find confusing new things and run into complex custom hooks.
One more reasonable construct is the thematic break
(see code).
It’s an object that defines a name
and a tokenize
function.
Most of what constructs do is defined in their required tokenize
function,
which sets up a state machine to handle character codes streaming in.
Postprocess
The postprocessor
(micromark/dev/lib/postprocess.js
)
is a small step that takes events, ensures all their
nested content is parsed, and returns the modified events.
Compile
The compiler
(micromark/dev/lib/compile.js
)
takes events and turns them into HTML.
While micromark was created mostly to advance markdown parsing irrespective of
compiling to HTML, the common case of doing so is built in.
A built in HTML compiler is useful because it allows us to check for compliancy
to CommonMark, the de facto norm of markdown, specified in roughly 650
input/output cases.
The parsing parts can still be used separately to build ASTs, CSTs, or many
other output formats.
The compiler has an interface that accepts lists of events instead of the whole at once, but because markdown can’t truly stream, events are buffered before compiling and outputting the final result.
Examples
GitHub flavored markdown (GFM)
To support GFM (autolink literals, strikethrough, tables, and tasklists) use
micromark-extension-gfm
.
Say we have a file like this:
1# GFM 2 3## Autolink literals 4 5www.example.com, https://example.com, and contact@example.com. 6 7## Footnote 8 9A note[^1] 10 11[^1]: Big note. 12 13## Strikethrough 14 15~one~ or ~~two~~ tildes. 16 17## Table 18 19| a | b | c | d | 20| - | :- | -: | :-: | 21 22## Tag filter 23 24<plaintext> 25 26## Tasklist 27 28* [ ] to do 29* [x] done
Then do something like this:
1import fs from 'node:fs/promises' 2import {micromark} from 'micromark' 3import {gfmHtml, gfm} from 'micromark-extension-gfm' 4 5const doc = await fs.readFile('example.md') 6 7console.log(micromark(doc, {extensions: [gfm()], htmlExtensions: [gfmHtml()]}))
Show equivalent HTML
1<h1>GFM</h1> 2<h2>Autolink literals</h2> 3<p><a href="http://www.example.com">www.example.com</a>, <a href="https://example.com">https://example.com</a>, and <a href="mailto:contact@example.com">contact@example.com</a>.</p> 4<h2>Footnote</h2> 5<p>A note<sup><a href="#user-content-fn-1" id="user-content-fnref-1" data-footnote-ref="" aria-describedby="footnote-label">1</a></sup></p> 6<h2>Strikethrough</h2> 7<p><del>one</del> or <del>two</del> tildes.</p> 8<h2>Table</h2> 9<table> 10<thead> 11<tr> 12<th>a</th> 13<th align="left">b</th> 14<th align="right">c</th> 15<th align="center">d</th> 16</tr> 17</thead> 18</table> 19<h2>Tag filter</h2> 20<plaintext> 21<h2>Tasklist</h2> 22<ul> 23<li><input disabled="" type="checkbox"> to do</li> 24<li><input checked="" disabled="" type="checkbox"> done</li> 25</ul> 26<section data-footnotes="" class="footnotes"><h2 id="footnote-label" class="sr-only">Footnotes</h2> 27<ol> 28<li id="user-content-fn-1"> 29<p>Big note. <a href="#user-content-fnref-1" data-footnote-backref="" class="data-footnote-backref" aria-label="Back to content">↩</a></p> 30</li> 31</ol> 32</section>
Math
To support math use micromark-extension-math
.
Say we have a file like this:
1Lift($L$) can be determined by Lift Coefficient ($C_L$) like the following equation. 2 3$$ 4L = \frac{1}{2} \rho v^2 S C_L 5$$
Then do something like this:
1import fs from 'node:fs/promises' 2import {micromark} from 'micromark' 3import {mathHtml, math} from 'micromark-extension-math' 4 5const doc = await fs.readFile('example.md') 6 7console.log(micromark(doc, {extensions: [math], htmlExtensions: [mathHtml()]}))
Show equivalent HTML
1<p>Lift(<span class="math math-inline"><span class="katex">…</span></span>) can be determined by Lift Coefficient (<span class="math math-inline"><span class="katex">…</span></span>) like the following equation.</p> 2<div class="math math-display"><span class="katex-display"><span class="katex">…</span></span></div>
Syntax tree
A higher level project, mdast-util-from-markdown
,
can give you an AST.
1import fromMarkdown from 'mdast-util-from-markdown' // This wraps micromark. 2 3const result = fromMarkdown('## Hello, *world*!') 4 5console.log(result.children[0])
Yields:
1{ 2 type: 'heading', 3 depth: 2, 4 children: [ 5 {type: 'text', value: 'Hello, ', position: [Object]}, 6 {type: 'emphasis', children: [Array], position: [Object]}, 7 {type: 'text', value: '!', position: [Object]} 8 ], 9 position: { 10 start: {line: 1, column: 1, offset: 0}, 11 end: {line: 1, column: 19, offset: 18} 12 } 13}
Another level up is remark, which provides a nice interface and hundreds of plugins.
Markdown
CommonMark
The first definition of “Markdown” gave several examples of how it worked,
showing input Markdown and output HTML, and came with a reference implementation
(Markdown.pl
).
When new implementations followed, they mostly followed the first definition,
but deviated from the first implementation, and added extensions, thus making
the format a family of formats.
Some years later, an attempt was made to standardize the differences between implementations, by specifying how several edge cases should be handled, through more input and output examples. This is known as CommonMark, and many implementations now work towards some degree of CommonMark compliancy. Still, CommonMark describes what the output in HTML should be given some input, which leaves many edge cases up for debate, and does not answer what should happen for other output formats.
micromark passes all tests from CommonMark and has many more tests to match the CommonMark reference parsers. Finally, it comes with CMSM, which describes how to parse markup, instead of documenting input and output examples.
Grammar
The syntax of markdown can be described in Backus–Naur form (BNF) as:
1markdown = .*
No, that’s not a typo: markdown has no syntax errors; anything thrown at it renders something.
Project
Comparison
There are many other markdown parsers out there and maybe they’re better suited
to your use case!
Here is a short comparison of a couple in JavaScript.
Note that this list is made by the folks who make micromark
and remark
, so
there is some bias.
Note: these are, in fact, not really comparable: micromark (and remark) focus on completely different things than other markdown parsers do. Sure, you can generate HTML from markdown with them, but micromark (and remark) are created for (abstract or concrete) syntax trees—to inspect, transform, and generate content, so that you can make things like MDX, Prettier, or Astro.
micromark
micromark can be used in two different ways.
It can either be used, optionally with existing extensions, to get HTML easily.
Or, it can give tremendous power, such as access to all tokens with positional
info, at the cost of being hard to get into.
It’s super small, pretty fast, and has 100% CommonMark compliance.
It has syntax extensions, such as supporting 100% GFM compliance (with
micromark-extension-gfm
), but they’re rather complex to write.
It’s the newest parser on the block, which means it’s fresh and well suited for
contemporary markdown needs, but it’s also battle-tested, and already the 3rd
most popular markdown parser in JavaScript.
If you’re looking for fine grained control, use micromark. If you just want HTML from markdown, use micromark.
remark
remark is the most popular markdown parser.
It’s built on top of micromark
and boasts syntax trees.
For an analogy, it’s like if Babel, ESLint, and more, were one project.
It supports the syntax extensions that micromark has (so it’s 100% CM compliant
and can be 100% GFM compliant), but most of the work is done in plugins that
transform or inspect the tree, and there’s tons of them.
Transforming the tree is relatively easy: it’s a JSON object that can be
manipulated directly.
remark is stable, widely used, and extremely powerful for handling complex data.
You probably should use remark.
marked
marked is the oldest markdown parser on the block. It’s been around for ages, is battle tested, small, popular, and has a bunch of extensions, but doesn’t match CommonMark or GFM, and is unsafe by default.
If you have markdown you trust and want to turn it into HTML without a fuss, and don’t care about perfect compatibility with CommonMark or GFM, but do appreciate a small bundle size and stability, use marked.
markdown-it
markdown-it is a good, stable, and essentially CommonMark compliant markdown parser, with (optional) support for some GFM features as well. It’s used a lot as a direct dependency in packages, but is rather big. It shines at syntax extensions, where you want to support not just markdown, but your (company’s) version of markdown.
If you need a couple of custom syntax extensions to your otherwise CommonMark-compliant markdown, and want to get HTML out, use markdown-it.
Others
There are lots of other markdown parsers!
Some say they’re small, or fast, or that they’re CommonMark compliant—but
that’s not always true.
This list is not supposed to be exhaustive (but it’s the most relevant ones).
This list of markdown parsers is a snapshot in time of why (not) to use
(alternatives to) micromark
: they’re all good choices, depending on what your
goals are.
Test
micromark is tested with the ~650 CommonMark tests and more than 1.2k extra tests confirmed with CM reference parsers. These tests reach all branches in the code, which means that this project has 100% code coverage. Finally, we use fuzz testing to ensure micromark is stable, reliable, and secure.
To build, format, and test the codebase, use $ npm test
after clone and
install.
The $ npm run test-api
and $ npm run test-coverage
scripts check either the
unit tests, or both them and their coverage, respectively.
The $ npm run test-fuzz
script does fuzz testing for 30 minutes.
Size & debug
micromark is really small. A ton of time went into making sure it minifies well, by the way code is written but also through custom build scripts to pre-evaluate certain expressions. Furthermore, care went into making it compress well with gzip and brotli.
Normally, you’ll use the pre-evaluated version of micromark. While developing, debugging, or testing your code, you should switch to use code instrumented with assertions and debug messages:
1node --conditions development module.js
To see debug messages, use a DEBUG
env variable set to micromark
:
1DEBUG="*" node --conditions development module.js
Version
micromark adheres to semver since 3.0.0.
Security
The typical security aspect discussed for markdown is cross-site scripting
(XSS) attacks.
Markdown itself is safe if it does not include embedded HTML or dangerous
protocols in links/images (such as javascript:
or data:
).
micromark makes any markdown safe by default, even if HTML is embedded or
dangerous protocols are used, as it encodes or drops them.
Turning on the allowDangerousHtml
or allowDangerousProtocol
options for
user-provided markdown opens you up to XSS attacks.
Another security aspect is DDoS attacks. For example, an attacker could throw a 100mb file at micromark, in which case the JavaScript engine will run out of memory and crash. It is also possible to crash micromark with smaller payloads, notably when thousands of links, images, emphasis, or strong are opened but not closed. It is wise to cap the accepted size of input (500kb can hold a big book) and to process content in a different thread or worker so that it can be stopped when needed.
Using extensions might also be unsafe, refer to their documentation for more information.
For more information on markdown sanitation, see
improper-markup-sanitization.md
by @chalker.
See security.md
in micromark/.github
for how to
submit a security report.
Contribute
See contributing.md
in micromark/.github
for ways
to get started.
See support.md
for ways to get help.
This project has a code of conduct. By interacting with this repository, organisation, or community you agree to abide by its terms.
Sponsor
Support this effort and give back by sponsoring on OpenCollective!
Salesforce 🏅 | |||||||||
Vercel |
Motif |
HashiCorp |
GitBook |
Gatsby | |||||
Netlify |
Coinbase |
ThemeIsle |
Expo |
Boost Note |
Markdown Space |
Holloway | |||
You? |
Origin story
Over the summer of 2018, micromark was planned, and the idea shared in August with a couple of friends and potential sponsors. The problem I (@wooorm) had was that issues were piling up in remark and other repos, but my day job (teaching) was fun, fulfilling, and deserved time too. It was getting hard to combine the two. The thought was to feed two birds with one scone: fix the issues in remark with a new markdown parser (codename marydown) while being financially supported by sponsors building fancy stuff on top, such as Gatsby, Contentful, and Vercel (ZEIT at the time). @johno was making MDX on top of remark at the time (important historical note: several other folks were working on JSX + markdown too). We bundled our strengths: MDX was getting some traction and we thought together we could perhaps make something sustainable.
In November 2018, we launched with the idea for micromark to solve all existing bugs, sustaining the existing hundreds of projects, and furthering the exciting high-level project MDX. We pushed a single name: unified (which back then was a small but essential part of the chain). Gatsby and Vercel were immediate sponsors. We didn’t know whether it would work, and it worked. But now you have a new problem: you are getting some financial support (much more than other open source projects) but it’s not enough money for rent, and too much money to print stickers with. You still have your job and issues are still piling up.
At the start of summer 2019, after a couple months of saving up donations, I quit my job and worked on unified through fall. That got the number of open issues down significantly and set up a strong governance and maintenance system for the collective. But when the time came to work on micromark, the money was gone again, so I contracted through winter 2019, and in spring 2020 I could do about half open source, half contracting. One of the contracting gigs was to write a new MDX parser, for which I also documented how to do that with a state machine in prose. That gave me the insight into how the same could be done for markdown: I drafted CMSM, which was some of the core ideas for micromark, but in prose.
In May 2020, Salesforce reached out: they saw the bugs in remark, how micromark could help, and the initial work on CMSM. And they had thousands of Markdown files. In a for open source uncharacteristic move, they decided to fund my work on micromark. A large part of what maintaining open source means, is putting out fires, triaging issues, and making sure users and sponsors are happy, so it was amazing to get several months to just focus and make something new. I remember feeling that this project would probably be the hardest thing I’d work on: yeah, parsers are pretty difficult, but markdown is on another level. Markdown is such a giant stack of edge cases on edge cases on even more weirdness, what a mess. On August 20, 2020, I released 2.0.0, the first working version of micromark. And it’s hard to describe how that moment felt. It was great.
In 2022, Vercel paid me to make a Rust version: markdown-rs
.
Super cool that I got to continue this work and bring it to a new language.
License
No vulnerabilities found.
Reason
20 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
0 existing vulnerabilities detected
Reason
license file detected
Details
- Info: project has a license file: license:0
- Info: FSF or OSI recognized license: MIT License: license:0
Reason
security policy file detected
Details
- Info: security policy file detected: github.com/micromark/.github/security.md:1
- Info: Found linked content: github.com/micromark/.github/security.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/micromark/.github/security.md:1
- Info: Found text in security policy: github.com/micromark/.github/security.md:1
Reason
Found 6/30 approved changesets -- score normalized to 2
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/bb.yml:1
- Warn: no topLevel permission defined: .github/workflows/main.yml:1
- Info: no jobLevel write permissions found
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/bb.yml:5: update your workflow using https://app.stepsecurity.io/secureworkflow/micromark/micromark/bb.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:6: update your workflow using https://app.stepsecurity.io/secureworkflow/micromark/micromark/main.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:7: update your workflow using https://app.stepsecurity.io/secureworkflow/micromark/micromark/main.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/micromark/micromark/main.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/micromark/micromark/main.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/micromark/micromark/main.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/micromark/micromark/main.yml/main?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/main.yml:11
- Warn: npmCommand not pinned by hash: .github/workflows/main.yml:17
- Warn: npmCommand not pinned by hash: .github/workflows/main.yml:43
- Info: 0 out of 5 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 2 third-party GitHubAction dependencies pinned
- Info: 0 out of 3 npmCommand dependencies pinned
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'main'
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 6 are checked with a SAST tool
Score
5.2
/10
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn MoreOther packages similar to micromark-util-sanitize-uri
micromark-util-symbol
micromark utility with symbols
micromark-util-combine-extensions
micromark utility to combine syntax or html extensions
micromark-util-encode
micromark utility to encode dangerous html characters
micromark-util-normalize-identifier
micromark utility normalize identifiers (as found in references, definitions)