Update dependency hexo to v6 [SECURITY] #104
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.2.0
->6.0.0
GitHub Vulnerability Alerts
CVE-2021-25987
Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post “body” and “tags” don’t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.
Release Notes
hexojs/hexo (hexo)
v6.0.0
Compare Source
Breaking Changes
Security
Please see more detail: Announcement: About CVE-2021-25987
New features
og:image
andtwitter:image
@KentarouTakeda [#4748]Performance
Fixes
Refactor
Array.flat()
@curbengh [#4806]Docs
Dependencies
New Contributors
Full Changelog: hexojs/hexo@5.4.0...6.0.0
v5.4.2
Compare Source
Fixes
js-yaml
fromv4.x
tov3.14.x
by @yoshinorin in https://github.com/hexojs/hexo/pull/4932Full Changelog: hexojs/hexo@5.4.1...5.4.2
v5.4.1
Compare Source
Fixes
Full Changelog: hexojs/hexo@5.4.0...5.4.1
v5.4.0
Compare Source
New features
Breaking change
Fixes
language
in front-matter @stevenjoezhang [#4614]Misc
Dependencies
v5.3.0
Compare Source
New features
escape_html
helper method for string manipulation to templates @awwong1 [#4581]Fixes
Refactor
process.mainModule
withrequire.main
@stevenjoezhang [#4583]Docs
v5.2.0
Compare Source
Changes
http(s)://
over//
{{ title }}
) with special characters no longer result in double-quote wrapconfig.url
should starts with "http://" or "https://"hexo generate --bail
disableNunjucks
option should now works reliably with synchronous rendererHousekeeping
v5.1.1
Compare Source
Changes
_config.yml
highlight:
enable: false
prismjs
enable: false
v5.1.0
Compare Source
Features
caption
is now available in prismjs:_config.yml
highlight:
enable: false
prismjs:
enable: true
plugins
option has been deprecated long ago and it's now completely droppedscripts/
folder or installed via npmpackage.json
.Performance
v5.0.2
Compare Source
Changes
hexo clean
.v5.0.1
Compare Source
Changes
Injector
external_link
filter now pre-match external links, instead of solely rely onisExternalLink
v5.0.0
Compare Source
Breaking change
_config.yml
external_link: true|false # deprecated
New option
external_link:
enable: true|false
external_link
for truthy value, since it's now automatically converted to object, it will be always truthy:Box
is never documented nor utilized in Hexo's internal.Updated:
only when it's set in the article's front-matter.keywords
._config.yml
permalink: :year/:month/:day/:title/
http://yourhexo.com/breaking-news/
.html
or/
_
is no longer available on Hexo API.Helper
APIhexo.theme.config
is merged intohexo.config
, they are now separated to avoid possible conflict in configuration.New feature
public/
folder.:second
attribute option for post permalink @kkocdko [#4185]_config.[name].yml
, e.g._config.landscape.yml
for hexo-theme-landscape._config.yml
._after_html_render
filter @jiangtj [#4051]after_render:html
as alias of_after_html_render
@curbengh [#4073]after_render:html
filter plugins automatically benefit from this improvement.<ul>
,<li>
,<a>
,<span>
for list_tags plugin.Performance
hexo clean
, nothexo c
alias.Fix
Writing database to ${dbPath}/db.json
message shouldn't show up inhexo clean
andhexo version
.highlight.wrap
option in user config is now properly passed to thecodeblock
tag plugin<meta>
with different order @SukkaW [#4017]<!--more-->
<!-- more-->
<!--more -->
<!-- more -->
Refactor
Dependencies
Misc
Test
v4.2.1
Compare Source
Fix
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.