Update dependency hexo to v6 [SECURITY] #35
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.8.0
->6.0.0
GitHub Vulnerability Alerts
CVE-2021-25987
Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post “body” and “tags” don’t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.
Release Notes
hexojs/hexo (hexo)
v6.0.0
Compare Source
Breaking Changes
Security
Please see more detail: Announcement: About CVE-2021-25987
New features
og:image
andtwitter:image
@KentarouTakeda [#4748]Performance
Fixes
Refactor
Array.flat()
@curbengh [#4806]Docs
Dependencies
New Contributors
Full Changelog: hexojs/hexo@5.4.0...6.0.0
v5.4.2
Compare Source
Fixes
js-yaml
fromv4.x
tov3.14.x
by @yoshinorin in https://github.com/hexojs/hexo/pull/4932Full Changelog: hexojs/hexo@5.4.1...5.4.2
v5.4.1
Compare Source
Fixes
Full Changelog: hexojs/hexo@5.4.0...5.4.1
v5.4.0
Compare Source
New features
Breaking change
Fixes
language
in front-matter @stevenjoezhang [#4614]Misc
Dependencies
v5.3.0
Compare Source
New features
escape_html
helper method for string manipulation to templates @awwong1 [#4581]Fixes
Refactor
process.mainModule
withrequire.main
@stevenjoezhang [#4583]Docs
v5.2.0
Compare Source
Changes
http(s)://
over//
{{ title }}
) with special characters no longer result in double-quote wrapconfig.url
should starts with "http://" or "https://"hexo generate --bail
disableNunjucks
option should now works reliably with synchronous rendererHousekeeping
v5.1.1
Compare Source
Changes
_config.yml
highlight:
enable: false
prismjs
enable: false
v5.1.0
Compare Source
Features
caption
is now available in prismjs:_config.yml
highlight:
enable: false
prismjs:
enable: true
plugins
option has been deprecated long ago and it's now completely droppedscripts/
folder or installed via npmpackage.json
.Performance
v5.0.2
Compare Source
Changes
hexo clean
.v5.0.1
Compare Source
Changes
Injector
external_link
filter now pre-match external links, instead of solely rely onisExternalLink
v5.0.0
Compare Source
Breaking change
_config.yml
external_link: true|false # deprecated
New option
external_link:
enable: true|false
external_link
for truthy value, since it's now automatically converted to object, it will be always truthy:Box
is never documented nor utilized in Hexo's internal.Updated:
only when it's set in the article's front-matter.keywords
._config.yml
permalink: :year/:month/:day/:title/
http://yourhexo.com/breaking-news/
.html
or/
_
is no longer available on Hexo API.Helper
APIhexo.theme.config
is merged intohexo.config
, they are now separated to avoid possible conflict in configuration.New feature
public/
folder.:second
attribute option for post permalink @kkocdko [#4185]_config.[name].yml
, e.g._config.landscape.yml
for hexo-theme-landscape._config.yml
._after_html_render
filter @jiangtj [#4051]after_render:html
as alias of_after_html_render
@curbengh [#4073]after_render:html
filter plugins automatically benefit from this improvement.<ul>
,<li>
,<a>
,<span>
for list_tags plugin.Performance
hexo clean
, nothexo c
alias.Fix
Writing database to ${dbPath}/db.json
message shouldn't show up inhexo clean
andhexo version
.highlight.wrap
option in user config is now properly passed to thecodeblock
tag plugin<meta>
with different order @SukkaW [#4017]<!--more-->
<!-- more-->
<!--more -->
<!-- more -->
Refactor
Dependencies
Misc
Test
v4.2.1
Compare Source
Fix
v4.2.0
Compare Source
Features
min_depth:
option totoc()
helper [#3997]Fixes
Merges similar theme configs in main config and theme's config [#3967]
theme
variable should have,Fixes some caching issue [#3985]
Open Graph now applies all
pretty_urls
options toog:url
tag [#3983]Refactor
No longer uses lodash [#3969], [#3987], [#3753]
_
is still available as a global variable, usually utilized in theme layout.Completely drops cheerio [#3850], [#3677]
v4.1.1
Compare Source
Feature
trailing_html:
topretty_urls:
option to remove ".html" from url [#3917]https://yoursite.com/page/about.html
->https://yoursite.com/page/about
Fixes
og:locale
Open Graph tag [#3921]og:locale
was inserted only iflanguage:
is configured in "language-TERRITORY" formatog:locale
will default to "en_US". Refer to the pull request for the full list.meta_generator()
helper should output the correct Hexo version [#3925]permalink_defaults:
option should be parsed, not replaced [#3926]Refactor
v4.1.0
Compare Source
Breaking change
og:locale
Open Graph tag won't be inserted iflanguage:
(in config, front-matter of post/page oropen_graph()
helper) is not inlanguage-TERRITORY
format [#3808]en
is invaliden-GB
is validen-AU
is not valid), see official listog:locale
languages/
folder of installed theme before changing thelanguage:
configFeatures
https://yoursite.com/2019/12/09/23/59/a-post/
article:published_time
[#3674]article:author
[#3805] Open Graph tagslazyload
in iframe-related tag plugins [#3798]iframe
,jsfiddle
,vimeo
,youtube
tag pluginsmeta_generator
helper to insert metadata element tag [#3782]<head>
element of your theme layout,<meta name="generator" content="Hexo 4.1.0">
meta_generator
helper),meta_generator:
option should be disabled,js()
[#3681] andcss()
[#3690] helperswrap:
option to enable/disable wrapping backtick codeblock in<table>
element [#3827]line_number
also enables ithighlight:
codeblock()
tag plugin [#3848]Fixes
og_updated_time
Open Graph tag witharticle:modified_time
[#3674]keywords
Open Graph tag witharticle:tag
[#3805]<head>
that spans multiple lines [#3778]db.json
when runninghexo new
orhexo --help
[#3793]ignore:
option [#3797]node_modules
folder could cause some issuesexternal_link
filter should not process data URLs (e.g.mailto:
&javascript:
) [#3812] and<article>
element [#3895]-p
is alias of--path
-s
is alias of--slug
-r
is alias of--replace
include:
andexclude:
options to post's asset folder [#3882]ignore:
option should work for files, in addition to folders [#3878]Housekeeping
v4.0.0
Compare Source
Breaking change
asset_link
,post_link
tag pluginsfalse
to the final argument{% asset_link 'filename 'title' 'false' %}
encodeURI(post.permalink)
(includingpermalink
of page, tag & category variables), there are three options:encodeURI(decodeURI(post.permalink))
for backward-compatibility wiConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.