With the new upload's changelog you claim: "vulnerability patched in 3rdparty/cmark-gfm CVE-2022-24724, CVE-2022-39209"
1) I do not see the +dfsg version indication represented - no repack is done. If you do not repack please remove the +dfsg and tell if you have verified the uglified JS to be represented in the included MathJax src. 2) I would have expected this to contain a patch that fixes CVE-2022-39209. There is no patch. If you cannot afford to fix this, remove the identifier from the changelog. But I will only sponsor this package when this is fixed.
