fix(deps): update dependency hexo to v7 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
hexo (source)	^5.4.0 → ^7.0.0

GitHub Vulnerability Alerts

CVE-2021-25987

Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post “body” and “tags” don’t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.

CVE-2023-39584

Hexo up to v7.1.1 was discovered to contain an arbitrary file read vulnerability.

---

Release Notes

hexojs/hexo (hexo)

v7.2.0

Compare Source

New Features

• feat(highlight): add an option to switch stripIndent by @​uiolee in #​5427

Improved type definitions

• refactor: refactor types by @​D-Sketon in #​5398
• chore: make callback on exit optional by @​dimaslanjaka in #​5421
• refactor: migrate typescript by @​D-Sketon in #​5417
• refactor: migrate typescript by @​D-Sketon in #​5430

Fixes

• Fix typos by @​mobeicanyue in #​5426
• fix: post_link behaviour when using subdir by @​leafbird in #​5419
• fix(tag): use url_for by @​stevenjoezhang in #​5385
• fix(tag/include_code): prevent path traversal by @​stevenjoezhang in #​5251
• revert(categories,tags): revert behavior of locals.tags and locals.categories by @​uiolee in #​5388

Refactor

• refactor: backslashes on Windows by @​stevenjoezhang in #​5457

Test

• test: add test case for issue #​4334 by @​D-Sketon in #​5465

CI/CD

• ci: suppress comment err and reduce benchmark running by @​uiolee in #​5454

Docs

• docs(README): Update Sponsors images by @​uiolee in #​5410

Dependencies

• chore(deps): bump hexo-fs from ^4.1.1 to ^4.1.3 by @​D-Sketon in #​5463
• chore(deps-dev): Limited @types/node version by @​uiolee in #​5411

New Contributors

• @​mobeicanyue made their first contribution in #​5426
• @​leafbird made their first contribution in #​5419

Full Changelog: hexojs/hexo@v7.1.1...v7.2.0

v7.1.1

Compare Source

Fixes

• fix(escapeTags): escape tag which includes line break by @​uiolee in #​5402

Misc

• chore: use prepublishOnly instead of prepublish and run npm install in prepublishOnly script by @​yoshinorin in #​5399

Full Changelog: hexojs/hexo@v7.1.0...v7.1.1

v7.1.0

Compare Source

Notable Changes

• chore(Hexo): add event emitter descriptor by @​dimaslanjaka in #​5302
• refactor: refactor types by @​D-Sketon in #​5344

New Features

• Added URL hash support for post_link tag by @​iliayatsenko in #​5356

Fixes

• fix(types): cast from number to string explicitly by @​yoshinorin in #​5342
• fix: permalink should be overwritten when post_asset_folder is true by @​D-Sketon in #​5254
• fix(escapeAllSwigTags): check tag completeness by @​uiolee in #​5395

CI/CD

• ci(commenter): use workflows_run event to comment flamegraph by @​uiolee in #​5384
• ci(benchmark): add PR permissions for comment by @​uiolee in #​5334

Dependencies

• chore: bump typescript from 4.9.5 to 5.3.2 by @​dependabot in #​5358
• chore(deps-dev): remove @​ts/eslint-plugin, parser by @​uiolee in #​5290
• chore: bump c8 from 8.0.1 to 9.0.0 by @​dependabot in #​5391
• chore(dev-deps): bump sinon from 15.2.0 to 17.0.1 by @​dependabot in #​5343
• chore(dev-deps): bump lint-staged from 14.0.1 to 15.2.0 by @​dependabot in #​5373

New Contributors

• @​iliayatsenko made their first contribution in #​5356

Full Changelog: hexojs/hexo@v7.0.0...v7.1.0

v7.0.0

Compare Source

Migration Guide

built-in tags

WARNING
Some of the built-in tags have been dropped (gist, youtube, jsfiddle, and vimeo). If you use those tags in your existing blog posts, you can install hexo-tag-embed to continue using them with Hexo v7.0.0.

Note
No need to install it if you are not using (or will not use) gist, youtube, jsfiddle, vimeo tags in your post or page.

$ npm i hexo-tag-embed

Syntax highlighting

WARNING
Syntax highlighting is refactored and controlled by the following settings. See Syntax Highlighting for more details.

syntax_highlighter: highlight.js # highlight.js | prismjs | <empty>

Breaking Changes

• chore: require node14+ by @​yoshinorin in #​5061
• Dropped tag features. Please see Migration Guid section.
  • refactor: drop gist tag by @​yoshinorin in #​5067
  • refactor: drop youtube tag by @​yoshinorin in #​5064
  • refactor: drop jsfiddle tag by @​yoshinorin in #​5066
  • refactor: drop vimeo tag by @​yoshinorin in #​5065
• Dropped features
  • refactor: drop external_link boolean type by @​yoshinorin in #​5063
  • refactor: drop use_date_for_updated option for updated_option by @​yoshinorin in #​5062
  • feat(post): remove front-matter property link (#​5253) by @​stevenjoezhang in #​5253
• revert: Access data files from source folder (#​1969) (#​5325) by @​stevenjoezhang in #​5325
• refactor highlight: add extend api for highlight by @​stevenjoezhang in #​5095

Notable Changes

• Migrate TypeSctipt
  • refactor: prepare for migration to typescript by @​stevenjoezhang in #​5094
  • refactor: migrate typescript by @​stevenjoezhang in #​5092
  • Refactor types by @​Pcrab in #​5178

New Features

• feat(tags/post_link): search for both slug and title by @​stevenjoezhang in #​5114
• feat(open_graph): drop google_plus by @​stevenjoezhang in #​5115
• feat(tags/img): support quotes in img title and alt by @​stevenjoezhang in #​5112
• feat(console-new): support default title from path by @​xu-song in #​4714
• feat: add an option to disable titlecase in post by @​renbaoshuo in #​5156
• feat: add exclude_languages feature to prismjs by @​D-Sketon in #​5182
• feat(tags/post_link): use slug when title is empty by @​stevenjoezhang in #​5220
• feat: add url_for and full_url_for tag plugins by @​D-Sketon in #​5198
• feat: allow top-level await in plugins or scripts by @​Pcrab in #​5228
• feat: define global variable hexo (#​5242) by @​dimaslanjaka in #​5242

Fixes

• fix(#​1099): hexo server error when changing the config by @​D-Sketon in #​5055
• fix: exclude_languages does not work in code blocks by @​stevenjoezhang in #​5088
• When promisifying, store does not preserve disableNunjucks property by @​tcr in #​2670
• fix(post): skip before_post_render and after_post_render on non-posts by @​stevenjoezhang in #​5118
• fix: Failed to create post with special character title by @​D-Sketon in #​5149
• fix(box): check for invalid file by @​stevenjoezhang in #​5173
• fix(backtick_code): handle empty code block by @​stevenjoezhang in #​5206
• fix(moize): helper function not working fine with relative_url by @​D-Sketon in #​5217
• fix(post): skip_render not working in post_asset_folder (#​5258) by @​D-Sketon in #​5258
• Revert "fix(backtick_code): handle empty code blocks (#​5206)" (#​5257) by @​stevenjoezhang in #​5257
• fix(post-asset): strip extensions better on permalink (#​5153) by @​KagamigawaMeguri in #​5153
  • Reverted in: Revert "fix(post-asset): strip extensions better on permalink (#​5153)" (#​5308) by @​stevenjoezhang in #​5308

Performance

• perf: reduce the number of traversals through posts by @​stevenjoezhang in #​5119
• perf(post): cache tags getter (#​5145) by @​SukkaW in #​5145

Refactor

• refactor: use the WHATWG URL API instead of url.resolve by @​yoshinorin in #​5136

CI/CD

• ci: reduce the running of ci (#​5282) by @​uiolee in #​5282
• ci: reduce the running of ci (#​5291) by @​uiolee in #​5291

Dependencies

• chore: bump sinon from 13.0.2 to 14.0.0 by @​dependabot in #​4965
• chore: bump lint-staged from 11.2.6 to 13.0.3 by @​dependabot in #​5008
• chore: bump husky from 7.0.4 to 8.0.1 by @​dependabot in #​4966
• chore: bump hexo-fs from 3.1.0 to 4.0.0 by @​dependabot in #​5077
• chore: bump hexo-renderer-marked from 5.0.0 to 6.0.0 by @​dependabot in #​5081
• chore: bump hexo-front-matter from 3.0.0 to 4.0.0 by @​dependabot in #​5087
• chore: bump abbrev from 1.1.1 to 2.0.0 by @​dependabot in #​5093
• chore: bump hexo-i18n from 1.0.0 to 2.0.0 by @​dependabot in #​5099
• chore: bump hexo-util from 2.7.0 to 3.0.1 by @​dependabot in #​5107
• chore: bump warehouse from 4.0.2 to 5.0.0 by @​dependabot in #​5101
• chore(deps): update hexo-log from 3.2.0 to 4.0.1 by @​yoshinorin in #​5096
• chore: bump sinon from 14.0.2 to 15.0.0 by @​dependabot in #​5121
• chore: change dependencies version by @​Pcrab in #​5202
• chore: bump c8 from 7.14.0 to 8.0.0 (#​5227) by @​dependabot in #​5227

Test

• test(benchmark): update hexo-many-posts repo by @​SukkaW in #​5128
• test(list_route): improve coverage by @​stevenjoezhang in #​5097
• test: improve coverage by @​D-Sketon in #​5221
• test: improve coverage by @​D-Sketon in #​5223

Misc

• fix typo (#​5245) by @​stevenjoezhang in #​5245
• chore(github): delete other issue template (#​5248) by @​yoshinorin in #​5248
• chore(lint-staged): remove git-exec-and-restage (#​5281) by @​uiolee in #​5281
• chore(github): use github issue form (#​5319) by @​uiolee in #​5319

New Contributors

• @​D-Sketon made their first contribution in #​5055
• @​xu-song made their first contribution in #​4714
• @​tcr made their first contribution in #​2670
• @​Pcrab made their first contribution in #​5178
• @​KagamigawaMeguri made their first contribution in #​5153
• @​dimaslanjaka made their first contribution in #​5242
• @​uiolee made their first contribution in #​5281

Full Changelog

---

Appendix: Changes between v7.0.0(RC2) and v7.0.0

Breaking Changes

• revert: Access data files from source folder (#​1969) (#​5325) by @​stevenjoezhang in #​5325
• feat(post): remove front-matter property link (#​5253) by @​stevenjoezhang in #​5253

New Feature

• feat: define global variable hexo (#​5242) by @​dimaslanjaka in #​5242

Performance

• perf(post): cache tags getter (#​5145) by @​SukkaW in #​5145

Fixes

• fix(post): skip_render not working in post_asset_folder (#​5258) by @​D-Sketon in #​5258
• Revert "fix(backtick_code): handle empty code blocks (#​5206)" (#​5257) by @​stevenjoezhang in #​5257
• fix(post-asset): strip extensions better on permalink (#​5153) by @​KagamigawaMeguri in #​5153
  • Reverted in: Revert "fix(post-asset): strip extensions better on permalink (#​5153)" (#​5308) by @​stevenjoezhang in #​5308

CI/CD

• ci: reduce the running of ci (#​5282) by @​uiolee in #​5282
• ci: reduce the running of ci (#​5291) by @​uiolee in #​5291

Dependencies

• chore: bump c8 from 7.14.0 to 8.0.0 (#​5227) by @​dependabot in #​5227

Misc

• fix typo (#​5245) by @​stevenjoezhang in #​5245
• chore(github): delete other issue template (#​5248) by @​yoshinorin in #​5248
• chore(lint-staged): remove git-exec-and-restage (#​5281) by @​uiolee in #​5281
• chore(github): use github issue form (#​5319) by @​uiolee in #​5319

Full Changelog

hexojs/hexo@v7.0.0-rc2...v7.0.0

v6.3.0

Compare Source

New Features

• feat(tag/post_link): throw on post_link error by @​xbc5 in #​4938
• feat(tag/include_code): robust for url compuation of view raw by @​stevenjoezhang in #​4996
• feat(paginator): allow custom class name by @​renbaoshuo in #​5001
• feat(helper/toc): more flexible class name by @​renbaoshuo in #​5010
• feat(helper/tagcloud): show_count option (#​5047) by @​renbaoshuo in #​5048
• feat(tag/code): add language_attr option (hexojs/hexo-util#278) by @​renbaoshuo in #​5017
• feat(helper/is): add is_home_first_page() helper by @​renbaoshuo in #​5006

Improvements

• let post_link use original post title as title attribute by @​ppwwyyxx in #​4973

Fixes

• fix(hexo/index): db.json file path in debug logging on Windows by @​stevenjoezhang in #​4994
• fix(tag): show source file in unformatted error message by @​curbengh in #​5031
• Don't use data-uri for og:image by @​KentarouTakeda in #​5053

Refactors

• refactor(helper/open_graph): use whatwg url api by @​renbaoshuo in #​5007
• chore(mail_to): use native URLSearchParams by @​renbaoshuo in #​5002

Test

• test: replace nyc with c8 by @​stevenjoezhang in #​5040
• chore(test/extend/tag): async function (#​3328) by @​renbaoshuo in #​5003

CI/CD

• chore: Set permissions for GitHub actions by @​neilnaveen in #​4947
• chore: delete release-drafter by @​yoshinorin in #​5044
• chore: improved benchmark result in github actions by @​renbaoshuo in #​5013

Dependencies

• chore(deps): bump hexo-util and warehouse by @​yoshinorin in #​5028
• chore(deps): bump hexo-log from 3.0.0 to 3.2.0 by @​yoshinorin in #​5054

Misc

• Update license year by @​renbaoshuo in #​5041
• chore: update issue template by @​yoshinorin in #​5030
• chore: update .gitignore by @​yoshinorin in #​4967

New Contributors

• @​xbc5 made their first contribution in #​4938
• @​neilnaveen made their first contribution in #​4947
• @​ppwwyyxx made their first contribution in #​4973

Full Changelog: hexojs/hexo@6.2.0...6.3.0

v6.2.0

Compare Source

Fixes

• fix(#​4917): suppress YAMLException when load js-yaml by @​yoshinorin in #​4927
  • This change is workaround for #​4917. Please see PR comments.
• chore(deps): bump warehouse from 4.0.0 to 4.0.1 by @​yoshinorin in #​4943
  • This change is workaround for #​4922. Please see hexojs/warehouse#123

Refactors

• chore: replace deprecated String.prototype.substr() by @​CommanderRoot in #​4918

Dependencies

• chore: bump sinon from 12.0.1 to 13.0.2 by @​dependabot in #​4944
• chore: bump mocha from 9.2.2 to 10.0.0 by @​dependabot in #​4960
• chore(deps): bump hexo-util from 2.6.0 to 2.6.1 by @​yoshinorin in #​4957
• chore: bump actions/checkout from 2 to 3 by @​dependabot in #​4905

Miscs

• chore(bot): delete stale bot by @​yoshinorin in #​4901
• chore(ISSUE_TEMPLATE): delete Your theme _config.yml section by @​yoshinorin in #​4931

New Contributors

• @​CommanderRoot made their first contribution in #​4918

Full Changelog: hexojs/hexo@6.1.0...6.2.0

v6.1.0

Compare Source

New Features

• feat(toc): Support unnumbered headings by @​Cerallin in #​4871
• Exclude some languages in code highlighting by @​corvofeng in #​3865
• Add line threshold option for codeblocks by @​dbelokon in #​4821

Fixes

• fix(#​1490): if post_asset_folder is set, restrict renderable files to default file extension by @​kristofzerbe in #​4781
• chore/fix(benchmark): fix benchmark on node 16+ by @​SukkaW in #​4906
• fix: plugin loading conflict with @​vercel/nft by @​SukkaW in #​4863
• Fix js-yaml tags for v4.0.0+ by @​marcofranssen in #​4869

Tests

• chore/test: use chai#should by @​SukkaW in #​4902

Dependencies

• chore: bump eslint-config-hexo from 4.2.0 to 5.0.0 by @​dependabot in #​4861
• chore: bump hexo-front-matter from 2.0.0 to 3.0.0 by @​dependabot in #​4856
• chore: bump 0x from 4.11.0 to 5.0.0 by @​dependabot in #​4846
• chore: bump hexo-util from 2.5.0 to 2.6.0 by @​yoshinorin in #​4908
• chore(deps): update some dependencies minor & patch version by @​yoshinorin in #​4898
• chore: bump hexo-renderer-marked from 4.1.0 to 5.0.0 by @​dependabot in #​4891
• chore: bump actions/setup-node from 2 to 3 by @​dependabot in #​4904

Misc

• chore: delete question-help ISSUTE_TEMPLATE & add discussion link for question by @​yoshinorin in #​4848
• github(pull_request_template): remove How to test section by @​stevenjoezhang in #​4576
• fix: typo by @​renbaoshuo in #​4896
• chore/ci: reply flamegraph URL in pull request by @​stevenjoezhang in #​4793

New Contributors

• @​kristofzerbe made their first contribution in #​4781
• @​marcofranssen made their first contribution in #​4869
• @​dbelokon made their first contribution in #​4821
• @​renbaoshuo made their first contribution in #​4896
• @​corvofeng made their first contribution in #​3865
• @​Cerallin made their first contribution in #​4871

Full Changelog: hexojs/hexo@6.0.0...6.1.0

v6.0.0

Compare Source

Breaking Changes

• Drop Node 10 @​stevenjoezhang [#​4779, #​4691]

Security

• Escape HTML by default in list_tag @​tomap [#​4743]

Please see more detail: Announcement: About CVE-2021-25987

New features

• feat: load hexo plugin in the theme's package.json @​stevenjoezhang [#​4771]
• feat(open_graph): different URLs for og:image and twitter:image @​KentarouTakeda [#​4748]

Performance

• perf(tag/helper): memoize @​SukkaW [#​4789]
• perf(external_link): optimize regex @​SukkaW [#​4790]
• refactor/perf: use nanocolors @​SukkaW [#​4788]
• Switch to picocolors @​tomap [#​4825]
• perf: avoid using delete operator @​SukkaW [#​4711]
• perf: overall improvements @​SukkaW [#​4783]
• refactor/perf(post): use state machine to escape swig tag @​SukkaW [#​4780]
• refactor: refactor pagination - paginatorHelper - pagenasionPartShow @​CroMarmot [#​4662]

Fixes

• fix(post): escape swig full tag with args @​stevenjoezhang [#​4824]
• fix(processor): remove race condition failsafe @​SukkaW [#​4791]
• fix(#​4780): curly brackets @​SukkaW [#​4784]
• fix(#​4780): empty tag name correction @​SukkaW [#​4786]
• Generate draft assets in draft mode @​darekkay [#​4563]

Refactor

• refactor: native Array.flat() @​curbengh [#​4806]

Docs

• doc: add homebrew install @​chenrui333 [#​4724]
• doc(extend/console): add jsdoc @​SukkaW [#​4500]

Dependencies

• Cleanup dependabot @​tomap [#​4820]
• chore: bump actions/stale from 3 to 4 @​dependabot [#​4828]
• chore: bump sinon from 11.1.2 to 12.0.1 @​dependabot [#​4810]
• chore: bump eslint from 7.32.0 to 8.0.0 @​dependabot [#​4799]
• chore: bump hexo-log from 2.0.0 to 3.0.0 @​dependabot [#​4794]
• chore: bump husky from 4.3.8 to 7.0.2 @​dependabot [#​4763]
• chore: bump sinon from 10.0.1 to 11.1.2 @​dependabot [#​4747]
• chore: bump mocha from 8.4.0 to 9.1.1 @​dependabot [#​4765]
• chore: bump lint-staged from 10.5.4 to 11.0.0 @​dependabot [#​4697]
• Upgrade to GitHub-native Dependabot @​dependabot-preview [#​4689]
• chore(deps-dev): bump sinon from 9.2.4 to 10.0.0 @​dependabot-preview [#​4670]
• chore(deps-dev): bump hexo-renderer-marked from 3.3.0 to 4.0.0 @​dependabot-preview [#​4649]

New Contributors

• @​CroMarmot made their first contribution in #​4662
• @​darekkay made their first contribution in #​4563
• @​dependabot made their first contribution in #​4697
• @​chenrui333 made their first contribution in #​4724

Full Changelog: hexojs/hexo@5.4.0...6.0.0

v5.4.2

Compare Source

Fixes

• fix(#​4917): downgrade js-yaml from v4.x to v3.14.x by @​yoshinorin in #​4932

Full Changelog: hexojs/hexo@5.4.1...5.4.2

v5.4.1

Compare Source

Fixes

• Fix js-yaml tags for v4.0.0+ (#​4869) by @​marcofranssen in #​4876

Full Changelog: hexojs/hexo@5.4.0...5.4.1

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.