Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency hexo to v6 [SECURITY] #104

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 25, 2022

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
hexo (source) 4.2.0 -> 6.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2021-25987

Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post “body” and “tags” don’t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.


Release Notes

hexojs/hexo (hexo)

v6.0.0

Compare Source

Breaking Changes

Security

Please see more detail: Announcement: About CVE-2021-25987

New features

Performance

Fixes

Refactor

Docs

Dependencies

New Contributors

Full Changelog: hexojs/hexo@5.4.0...6.0.0

v5.4.2

Compare Source

Fixes

Full Changelog: hexojs/hexo@5.4.1...5.4.2

v5.4.1

Compare Source

Fixes

Full Changelog: hexojs/hexo@5.4.0...5.4.1

v5.4.0

Compare Source

New features

Breaking change

Fixes

Misc

Dependencies

v5.3.0

Compare Source

New features

Fixes

Refactor

Docs

v5.2.0

Compare Source

Changes

  • perf(external_link): faster regexp @​SukkaW [#​4536]
    • prioritise http(s):// over //
  • feat: support 'disableNunjucks' in front-matter @​curbengh [#​4518]
    • Enable this option to disable tag plugin
    • Setting this option in front-matter will override the same option set by the renderer (e.g. hexo-renderer-marked)
    ---
    title: foo
    date: 2020-01-02 03:04:05
    disableNunjucks: true|false
    ---
  • fix: avoid escaping front-matter if unnecessary @​curbengh [#​4522]
    • using variable (e.g. {{ title }}) with special characters no longer result in double-quote wrap
  • fix: validate value of config.url @​curbengh [#​4520]
    • config.url should starts with "http://" or "https://"
  • fix(router): convert string to buffer in route stream @​ppoffice [#​4517]
    • fix crash in hexo generate --bail
  • fix(disableNunjucks): query both async and sync versions of renderer @​curbengh [#​4498]
    • disableNunjucks option should now works reliably with synchronous renderer
  • feat(load_plugin): ignore pkg name endswith theme name @​SukkaW [#​4497]
    • An initial effort to support scoped package

Housekeeping

v5.1.1

Compare Source

Changes

  • fix(filter/highlight): avoid escaping curly bracket when highlight & prismjs disabled @​curbengh [#​4489]
    • When both highlight.js and prismjs are disabled:

_config.yml

highlight:
enable: false

prismjs
enable: false

* there was an issue that curly brackets `{ }` are escaped `&#​123; &#​125;` mistakenly in the [backtick_code_block.js](https://redirect.github.com/hexojs/hexo/blob/5795c1225f602ff0d5848fecf560fd33409cd96f/lib/plugins/filter/before_post_render/backtick_code_block.js) filter. The fix is to avoid running that filter when code highlight is disabled.
* Some users disable Hexo's default code highlight as they prefer to their own method.

v5.1.0

Compare Source

Features

  • feat(highlight): parse 'caption' option to prismHighlight @​curbengh [#​4476]
    • caption is now available in prismjs:

_config.yml

highlight:
enable: false
prismjs:
enable: true

* It can be used in triple backtick codeblock:
<pre><code>``` js caption
console.log('foo')
```</code></pre>
  * above codeblock will be rendered as:
  (class attributes are omitted for brevity)
  ``` html
  <pre><div class="caption"><span>caption</span></div><code>console...</code></pre>
  ```
  * you can style the caption by:
  ``` css
  pre div.caption {
    font-size: 0.9em;
    color: #&#8203;888;
  }

  pre div.caption a {
    float: right;
  }
  ```
* also available via [`codeblock`](https://hexo.io/docs/tag-plugins#Code-Block) and [`include_code`](https://hexo.io/docs/tag-plugins#Include-Code) tag plugins.

- fix: refactor post escape @&#8203;SukkaW [#&#8203;4472]
* fixed issue with prismjs that, in some cases, did not remove hexo's processing tag properly
- Remove plugins option in config @&#8203;stevenjoezhang [#&#8203;4475]
``` yml
### _config.yml
plugins:
  • plugins option has been deprecated long ago and it's now completely dropped
  • plugins should be saved in scripts/ folder or installed via npm package.json.

Performance

v5.0.2

Compare Source

Changes

v5.0.1

Compare Source

Changes

v5.0.0

Compare Source

Breaking change

_config.yml

external_link: true|false # deprecated

New option

external_link:
enable: true|false


``` yml

### _config.yml
### https://hexo.io/docs/configuration#Date-Time-format
use_date_for_updated: true # deprecated

### New option
updated_option: date
  • If you check external_link for truthy value, since it's now automatically converted to object, it will be always truthy:
<% if (config.external_link) { %>
  • If you wish to maintain backward compatibility with older Hexo versions:
<% if ((typeof config.external_link === 'boolean' && config.external_link === true) || (typeof config.external_link === 'object' && config.external_link.enable === true)) { %>
  • refactor(box): remove Bluebird.asCallback @​SukkaW [#​4379]
    • Callback syntax for Box is never documented nor utilized in Hexo's internal.
    • This is also a reminder that we might drop callbacks from all Hexo API in future. [#​3328]
  • feat: bring up config.updated_option @​SukkaW [#​4278]
    • This can be useful for a theme that prefers to display Updated: only when it's set in the article's front-matter.
  • feat(open_graph): drop 'keywords' option from front-matter @​curbengh [#​4174]
    • Search engines no longer support keywords.
  • fix(#​3464): override permalink use the front-matter @​SukkaW [#​4359]
    • User config:

_config.yml

permalink: :year/:month/:day/:title/


* Front-matter
``` yml
---
title: foo bar
permalink: breaking-news/
---
  • That post will be available on http://yourhexo.com/breaking-news/
  • A reminder that permalink must have a trailing .html or /
permalink: :year/:month/:day/:title/ # default

### or
permalink: :year/:month/:day/:title.html
  • Remove lodash from global variable @​SukkaW [#​4266]
    • Lodash _ is no longer available on Hexo API.
    // Dropped
    <% const arrayB = _.uniq(arrayA) %>
    • We encourage the use over native JS API over Lodash, we find this guide to be helpful.
    • If you prefer to use Lodash, you can always install it and make it available via Helper API
  • chore/ci: drop Node.js 8 and add Node.js 14 @​SukkaW [#​4255]
    • Node 8 has reached EOL on 31 Dec 2019.
    • Hexo now requires Node 10+; although Node 10.x is still supported, but it's going to be officially deprecated in less than a year (April 2021), so we recommend Node 12+.
  • refactor: remove site config from theme config @​SukkaW [#​4145]
    • Previously hexo.theme.config is merged into hexo.config, they are now separated to avoid possible conflict in configuration.

New feature

  • feat(tag): show source of the error & beautify @​SukkaW [#​4420]
  • feat(post_link): better error message when a post could not be located [#​4426]
    • The error message is now clearer when there is an incorrect filename.
  • skip assets of unpublished posts and delete them if exist @​DaemondShu [#​3489]
    • When there is an unpublished post:
    ---
    title: Still a draft....
    published: false
    ---
    • That post including its assets will not be generated into the public/ folder.
  • feat(extend/injector): bring up new extend Injector @​SukkaW [#​4049]
  • feat: add prism highlight support @​SukkaW [#​4119]
  • feat(tagcloud): new option class & level @​stevenjoezhang [#​4370]
    • Ability to add class name for CSS styling.
  • feat(config): validate config before processing posts @​SukkaW [#​4381]
  • feat(post_permalink): add :second attribute option for post permalink @​kkocdko [#​4185]
    • Example:
    permalink: :year/:month/:day/:hour/:minute/:second/:title.html
  • feat(youtube_tag): add cookie option @​curbengh [#​4155]
    • When disabled, cookie is not set/sent in the youtube video embed.
  • feat(youtube_tag): support playlist @​SukkaW [#​4139]
    • Ability to embed a playlist.
  • feat(load_theme_config): support alternate theme config @​SukkaW [#​4120]
    • Theme can be configured in a file _config.[name].yml, e.g. _config.landscape.yml for hexo-theme-landscape.
    • Placed the file in the root folder, same as the current _config.yml.
    • Refer to the documentation for configuration priority.
  • feat(feed_tag): support parsing config.feed @​curbengh [#​4029]
  • feat(tag): add unregister() method @​SukkaW [#​4046]
    • This means you can now unregister existing tag plugins and replace it with your own with the same name.
  • feat(filter): add _after_html_render filter @​jiangtj [#​4051]
    • perf(filter): set after_render:html as alias of _after_html_render @​curbengh [#​4073]
    • Existing after_render:html filter plugins automatically benefit from this improvement.
  • feat(load_config): support theme_dir in node_modules @​SukkaW [#​4112]
  • fix(list_tags): custom class for each element @​noraj [#​4059]
    • Customize the class name for each element <ul>, <li>, <a>, <span> for list_tags plugin.

Performance

Fix

Refactor

Dependencies

  • chore(deps): update hexo-front-matter from 1.0.0 to 2.0.0 @​SukkaW [#​4439]
  • chore(deps): update hexo-util from 1.9.0 to 2.2.0 [#​4276] [#​4438]
  • chore(deps): bump hexo-log from 1.0.0 to 2.0.0 [#​4392]
  • chore(deps-dev): bump hexo-renderer-marked from 2.0.0 to 3.0.0 [#​4390]
  • chore(deps-dev): bump mocha from 6.2.2 to 8.0.1 [#​4060] [#​4354]
  • Update tester node version @​segayuu [#​4324]
  • chore(deps-dev): bump eslint from 6.8.0 to 7.0.0 [#​4301]
  • chore(deps): bump warehouse from 3.0.1 to 4.0.0 [#​4077] [#​4322]
  • chore(deps-dev): bump lint-staged from 9.5.0 to 10.2.0 [#​4283]
  • chore(deps): bump hexo-fs from 2.0.0 to 3.0.1 [#​4277]
  • chore(deps-dev): bump sinon from 7.5.0 to 9.0.2 [#​4005] [#​4232]
  • chore(deps-dev): bump husky from 3.1.0 to 4.2.5 [#​4235]
  • chore(deps): bump chalk from 3.0.0 to 4.0.0 [#​4215]
  • chore(deps-dev): bump nyc from 14.1.1 to 15.0.0 [#​4003]

Misc

Test

v4.2.1

Compare Source

Fix

  • Fix compatibility with Node 14 [#​4285]

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot changed the title Update dependency hexo to v6 [SECURITY] Update dependency hexo to v6 [SECURITY] - autoclosed Feb 24, 2024
@renovate renovate bot closed this Feb 24, 2024
@renovate renovate bot deleted the renovate/npm-hexo-vulnerability branch February 24, 2024 01:22
@renovate renovate bot changed the title Update dependency hexo to v6 [SECURITY] - autoclosed Update dependency hexo to v6 [SECURITY] Feb 24, 2024
@renovate renovate bot reopened this Feb 24, 2024
@renovate renovate bot restored the renovate/npm-hexo-vulnerability branch February 24, 2024 03:20
@renovate renovate bot force-pushed the renovate/npm-hexo-vulnerability branch from 0f4e1f2 to fb6f474 Compare February 24, 2024 03:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants