[Snyk] Fix for 20 vulnerabilities

[MarcelRaschke]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • docs/package.json
  • docs/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	526/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.1	Arbitrary Code Injection SNYK-JS-EJS-1049328	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-EJS-2803307	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	584/1000 Why? Has a fix available, CVSS 7.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852	Yes	No Known Exploit
	464/1000 Why? Has a fix available, CVSS 5	Cross-site Scripting (XSS) SNYK-JS-HEXO-1932976	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HIGHLIGHTJS-1048676	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-174116	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342073	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342082	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-451540	Yes	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-584281	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Cross-site Scripting (XSS) SNYK-JS-STRIPTAGS-1312310	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	No	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: hexo

The new version differs by 250 commits.

• c749815 Hexo 6.0.0 (#4750)
• 5977928 chore: bump actions/stale from 3 to 4 (#4828)
• 8ac908a Cleanup dependabot (#4820)
• 11b145c Switch to picocolors (#4825)
• 3ed6fd9 fix(post): escape swig full tag with args (#4824)
• 902cd70 chore: bump sinon from 11.1.2 to 12.0.1 (#4810)
• 0c6380c refactor: native Array.flat() (#4806)
• ed0f239 perf(tag/helper): memoize (#4789)
• 2ec4f63 chore: bump eslint from 7.32.0 to 8.0.0 (#4799)
• 0f534b2 chore: bump hexo-log from 2.0.0 to 3.0.0 (#4794)
• 098cf0a perf(external_link): optimize regexp (#4790)
• 02cbfe3 fix(processor): remove race condition failsafe (#4791)
• 9edbc99 fix(#4780): empty tag name correction (#4786)
• b56ba65 refactor/perf: use nanocolors (#4788)
• b3bd7d4 chore: bump husky from 4.3.8 to 7.0.2 (#4763)
• 9c9b2a5 fix(#4780): curly brackets (#4784)
• a342422 perf: overall improvements (#4783)
• 6f702fc feat: load hexo plugin in the theme's package.json (#4771)
• a2ec6b2 feat(open_graph): different URLs for og:image and twitter:image (#4748)
• 0c979bf refactor(post): use state machine to escape swig tag (#4780)
• 67fc844 doc: add homebrew install (#4724)
• 6164db1 chore: bump sinon from 10.0.1 to 11.1.2 (#4747)
• c18d575 chore: bump mocha from 8.4.0 to 9.1.1 (#4765)
• bb61f15 chore: drop Node 10 (#4779)

See the full diff

Package name: hexo-prism-plus

The new version differs by 13 commits.

• e4d9aa8 Update: README
• ead2016 Update: README now points to new CI status
• 9612ccd Update: switch to GitHub action
• 016d56b Update: major rewrite
• 8894e96 Merge pull request Bump mixin-deep from 1.3.1 to 1.3.2 in /docs #2 from Aetf/dependabot/npm_and_yarn/lodash.merge-4.6.2
• b2287ab Merge pull request Bump lodash from 4.17.5 to 4.17.20 in /docs #3 from Aetf/dependabot/npm_and_yarn/mixin-deep-1.3.2
• 60b9f2c Merge pull request Bump lodash.merge from 4.6.1 to 4.6.2 in /docs #4 from Aetf/dependabot/npm_and_yarn/js-yaml-3.13.1
• 09e931b Merge pull request Bump highlight.js from 9.12.0 to 9.18.5 in /docs #5 from Aetf/dependabot/npm_and_yarn/lodash-4.17.13
• 8172cb2 Upgrade: Bump lodash from 4.17.11 to 4.17.13
• 58acf60 Upgrade: Bump js-yaml from 3.12.0 to 3.13.1
• ff0a5f5 Upgrade: Bump mixin-deep from 1.3.1 to 1.3.2
• 18b218a Upgrade: Bump lodash.merge from 4.6.1 to 4.6.2
• 5b1cdab Update: warn about missing hexo-inject when using yarn, close Action required: Greenkeeper could not be activated 🚨 #1

See the full diff

Package name: hexo-renderer-ejs

The new version differs by 38 commits.

• 8dd9fda V2 (GraphQL Support apollographql/apollo#45)
• deabc8b chore(deps-dev): bump eslint from 7.32.0 to 8.1.0 (Setup jekyll apollographql/apollo#49)
• 5af7160 chore(deps-dev): bump mocha from 8.4.0 to 9.1.0 (Apollo devsub page only apollographql/apollo#44)
• 6beb035 Drop node 10 (fixed merge problems apollographql/apollo#46)
• 81c9307 Upgrade to GitHub-native Dependabot (merging schemas apollographql/apollo#39)
• 09cb553 chore(deps-dev): bump mocha from 7.2.0 to 8.0.1 (State of Invalidation Server and Reactive GraphQL apollographql/apollo#38)
• ddacbfd chore(deps-dev): bump eslint from 6.8.0 to 7.0.0 (Using express in meteor deployments, is it secure? apollographql/apollo#37)
• 8c2415d chore(deps-dev): bump hexo-fs from 2.0.0 to 3.0.1 (Make footer links fully clickable apollographql/apollo#35)
• 0b24ab5 chore(deps-dev): bump mocha from 6.2.3 to 7.1.2 (Add homepage link to readme apollographql/apollo#36)
• 5ab0f81 chore(deps-dev): bump nyc from 14.1.1 to 15.0.0 (resolvers management apollographql/apollo#29)
• 80c3ef3 chore(deps-dev): bump eslint-config-hexo from 3.0.0 to 4.0.0 (Guidelines for package authors apollographql/apollo#28)
• cc5e1b6 chore(deps): bump ejs from 2.7.4 to 3.0.1 (Update Node.js to v8.17.0 - autoclosed #26)
• 2f17874 test: update to new include syntax (Design document apollographql/apollo#27)
• 40dd2ce Merge pull request Bump decode-uri-component from 0.2.0 to 0.2.2 in /docs #24 from curbengh/1.0.0
• 993f912 Merge pull request Update dependency hexo to v6 [SECURITY] - autoclosed #25 from hexojs/dependabot/npm_and_yarn/hexo-fs-tw-2.0.0
• 835bf57 chore(deps-dev): update hexo-fs requirement from ^1.0.0 to ^2.0.0
• 54fb943 docs(readme): add npmjs link (Bump engine.io and browser-sync in /docs #23)
• 2ae8360 release: 1.0.0
• 50c43fb test: replace istanbul with nyc (Bump socket.io-parser and browser-sync in /docs #21)
• 105d010 chore(deps-dev): update eslint requirement from ^5.8.0 to ^6.0.1 (Bump moment-timezone from 0.5.23 to 0.5.37 in /docs #19)
• a3a3730 chore: drop node 6 (Bump css-what from 2.1.2 to 2.1.3 in /docs #20)
• 4b32f7c chore: specify files (Bump minimatch from 3.0.4 to 3.1.2 in /docs #22)
• 7e98c2d chore(deps-dev): update mocha requirement from ^5.2.0 to ^6.0.2 ([Snyk] Fix for 20 vulnerabilities #17)
• ce33ee8 Merge pull request Bump follow-redirects from 1.5.9 to 1.14.8 in /docs #14 from hexojs/dependabot/npm_and_yarn/mocha-tw-5.2.0

See the full diff

Package name: hexo-renderer-less

The new version differs by 4 commits.

• 7254d0e 1.0.0
• d0dddd2 Merge pull request [Snyk] Fix for 20 vulnerabilities #17 from hexojs/dependabot/npm_and_yarn/less-tw-3.9.0
• 719dfae Update less requirement from ^2.5.1 to ^3.9.0
• f02cb60 Fix indentation in `index.js` (Bump moment from 2.20.1 to 2.29.2 in /docs #15)

See the full diff

Package name: hexo-renderer-marked

The new version differs by 177 commits.

• 4304601 chore: bump version from 4.1.0 to 5.0.0 (Add Content For Fetch Data With Queries #219 apollographql/apollo#220)
• 9c48448 chore(deps): bump marked from 3.0.8 to 4.0.1 (Run your graph in production apollographql/apollo#214)
• 20e9d00 chore(deps-dev): bump eslint-config-hexo from 4.2.0 to 5.0.0 (Add Content For Fetch Data With Queries apollographql/apollo#219)
• 568e5e9 refactor: call parent class url tokenizer method (Update dependency hexo to v3.8.0 apollographql/apollo#218)
• 76ee3bc chore(deps-dev): bump hexo from 5.4.0 to 6.0.0 (Connect your graph API to a client apollographql/apollo#217)
• 4bc71b4 chore(deps): bump jsdom from 18.1.1 to 19.0.0 (Add introduction apollographql/apollo#215)
• ae51afc chore(deps-dev): bump eslint from 7.32.0 to 8.0.0 (Add content for Build A Schema section apollographql/apollo#211)
• 3bcb483 chore(deps): bump jsdom from 17.0.0 to 18.0.0 (Add content for data sources section apollographql/apollo#212)
• 36b1c14 Explain security risk of using this plugin ([WIP] Fullstack tutorial apollographql/apollo#210)
• 8767792 chore(deps): bump marked from 2.1.3 to 3.0.4 (docs: Fix minor grammar issue in performance docs apollographql/apollo#208)
• 4f21623 Enable prependRoot by default (Add missing LICENSE apollographql/apollo#203)
• 62e6f7f chore(deps): bump jsdom from 16.7.0 to 17.0.0 (Remove useless backticks apollographql/apollo#199)
• 6e2c6a5 Support node >=12 (Fix typo apollographql/apollo#201)
• 669b057 chore: release v4.1.0 (Added resources to the landing page apollographql/apollo#198)
• 6f6a774 Add DOMPurify to sanitize HTML (Add graphql glossary apollographql/apollo#196)
• d5df309 Support Node v16 (Updated faq apollographql/apollo#197)
• 9edadff chore(deps-dev): bump mocha from 8.4.0 to 9.0.3 (Add GraphQL Glossary apollographql/apollo#195)
• 6009a7e Upgrade to GitHub-native Dependabot (Guides Clean Up & Buttering  apollographql/apollo#188)
• 2602b92 release: v4.0.0 (Fixed typo in variable name apollographql/apollo#184)
• 57d9d8b chore: update build badge on README (Update dependency apollo-hexo-config to v1.0.8 apollographql/apollo#185)
• 758e237 chore(deps): bump marked from 1.2.9 to 2.0.0 (Update File Upload Docs apollographql/apollo#183)
• 6141432 docs: fix small typo (Add Blob example apollographql/apollo#180)
• f9758c1 merge(Add APQ images apollographql/apollo#179): from sukkaw/descriptionLists into master
• cef1743 docs: descriptionLists option

See the full diff

Package name: hexo-server

The new version differs by 99 commits.

• 0ffb748 chore: bump version from 2.0.0 to 3.0.0 (Add GraphQL Glossary apollographql/apollo#195)
• 2f6e4b8 chore(docs): update badges (FAQ Guide apollographql/apollo#194)
• 9d582d6 refactor: use the WHATWG URL API instead of `url.format` (Apollo Server 2 no longer in beta apollographql/apollo#193)
• b79c72b chore(deps): bump mime from 2.5.2 to 3.0.0 (Add Guides Landing page apollographql/apollo#181)
• 00c2027 chore: drop nodejs 10.x (Change authentication to authorization apollographql/apollo#192)
• 6db91dc chore(deps-dev): bump sinon from 11.1.2 to 12.0.1 (Update File Upload Docs apollographql/apollo#183)
• 04dd7d6 chore(deps-dev): bump eslint from 8.1.0 to 8.5.0 (Fix grammar in schema guide doc apollographql/apollo#190)
• 799dd34 chore(deps-dev): bump hexo from 5.4.0 to 6.0.0 (Update non-breaking change use case apollographql/apollo#191)
• a253e04 chore(deps): bump open from 8.3.0 to 8.4.0 (Add APQ images apollographql/apollo#179)
• bf2da7a Cleanup dependant config
• f33dc00 chore(deps-dev): bump mocha from 8.4.0 to 9.1.3 (chore(deps): update dependency meteor-theme-hexo to v1.0.16 apollographql/apollo#176)
• 207ae51 chore(deps-dev): bump eslint from 7.32.0 to 8.1.0 (Add Performance & File Uploads Guide. apollographql/apollo#178)
• 27efa8d chore(deps-dev): bump sinon from 10.0.1 to 11.1.2 (Add Errors guide apollographql/apollo#167)
• 7adcfca Switch to picocolors (Fix typo in testing-react-components.md apollographql/apollo#177)
• ecb1a5d chore(deps): bump open from 8.2.1 to 8.3.0 (Add more info on auth via schema directives apollographql/apollo#172)
• 01ef59c refactor: replace chalk with nanocolors (chore(deps): update dependency meteor-theme-hexo to v1.0.14 - autoclosed apollographql/apollo#171)
• 6048415 feat: check if header has already been set (Setup jekyll apollographql/apollo#49)
• 14f5592 chore(deps-dev): bump supertest from 5.0.0 to 6.1.3 (chore(deps): update dependency hexo to v3.7.1 apollographql/apollo#147)
• c3294cf fix: send correct MIME for rss file (docs: Add hexo-prism-plus to enable Prism syntax highlighting. apollographql/apollo#145)
• cc1ff81 chore(deps): bump open from 7.4.2 to 8.0.9 (fix image link for fundamentals guide apollographql/apollo#159)
• 5a786bd chore(deps-dev): bump sinon from 9.2.4 to 10.0.1 (chore(deps): update dependency meteor-theme-hexo to v1.0.10 apollographql/apollo#154)
• 95ec110 Upgrade to GitHub-native Dependabot (chore(deps): update dependency meteor-theme-hexo to v1.0.11 apollographql/apollo#157)
• 571d235 chore(deps-dev): bump supertest from 4.0.2 to 5.0.0 (Add warning to documentation that the React tutorial is outdated apollographql/apollo#141)
• 5693469 Merge pull request chore(deps): update dependency hexo to v3.7.0 - autoclosed apollographql/apollo#140 from curbengh/v2.0.0

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Denial of Service (DoS) SNYK-JS-AXIOS-174505	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution npm:extend:20180424	No Known Exploit
	646/1000 Why? Mature exploit, Has a fix available, CVSS 5.2	Uninitialized Memory Exposure npm:stringstream:20180511	Mature

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the effected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Arbitrary Code Injection
🦉 Remote Code Execution (RCE)
🦉 Cross-site Scripting (XSS)
🦉 More lessons are available in Snyk Learn