Update dependency hexo to v6 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
hexo (source)	4.2.0 -> 6.0.0

GitHub Vulnerability Alerts

CVE-2021-25987

Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post “body” and “tags” don’t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.

---

Release Notes

hexojs/hexo (hexo)

v6.0.0

Compare Source

Breaking Changes

• Drop Node 10 @​stevenjoezhang [#​4779, #​4691]

Security

• Escape HTML by default in list_tag @​tomap [#​4743]

Please see more detail: Announcement: About CVE-2021-25987

New features

• feat: load hexo plugin in the theme's package.json @​stevenjoezhang [#​4771]
• feat(open_graph): different URLs for og:image and twitter:image @​KentarouTakeda [#​4748]

Performance

• perf(tag/helper): memoize @​SukkaW [#​4789]
• perf(external_link): optimize regex @​SukkaW [#​4790]
• refactor/perf: use nanocolors @​SukkaW [#​4788]
• Switch to picocolors @​tomap [#​4825]
• perf: avoid using delete operator @​SukkaW [#​4711]
• perf: overall improvements @​SukkaW [#​4783]
• refactor/perf(post): use state machine to escape swig tag @​SukkaW [#​4780]
• refactor: refactor pagination - paginatorHelper - pagenasionPartShow @​CroMarmot [#​4662]

Fixes

• fix(post): escape swig full tag with args @​stevenjoezhang [#​4824]
• fix(processor): remove race condition failsafe @​SukkaW [#​4791]
• fix(#​4780): curly brackets @​SukkaW [#​4784]
• fix(#​4780): empty tag name correction @​SukkaW [#​4786]
• Generate draft assets in draft mode @​darekkay [#​4563]

Refactor

• refactor: native Array.flat() @​curbengh [#​4806]

Docs

• doc: add homebrew install @​chenrui333 [#​4724]
• doc(extend/console): add jsdoc @​SukkaW [#​4500]

Dependencies

• Cleanup dependabot @​tomap [#​4820]
• chore: bump actions/stale from 3 to 4 @​dependabot [#​4828]
• chore: bump sinon from 11.1.2 to 12.0.1 @​dependabot [#​4810]
• chore: bump eslint from 7.32.0 to 8.0.0 @​dependabot [#​4799]
• chore: bump hexo-log from 2.0.0 to 3.0.0 @​dependabot [#​4794]
• chore: bump husky from 4.3.8 to 7.0.2 @​dependabot [#​4763]
• chore: bump sinon from 10.0.1 to 11.1.2 @​dependabot [#​4747]
• chore: bump mocha from 8.4.0 to 9.1.1 @​dependabot [#​4765]
• chore: bump lint-staged from 10.5.4 to 11.0.0 @​dependabot [#​4697]
• Upgrade to GitHub-native Dependabot @​dependabot-preview [#​4689]
• chore(deps-dev): bump sinon from 9.2.4 to 10.0.0 @​dependabot-preview [#​4670]
• chore(deps-dev): bump hexo-renderer-marked from 3.3.0 to 4.0.0 @​dependabot-preview [#​4649]

New Contributors

• @​CroMarmot made their first contribution in #​4662
• @​darekkay made their first contribution in #​4563
• @​dependabot made their first contribution in #​4697
• @​chenrui333 made their first contribution in #​4724

Full Changelog: hexojs/hexo@5.4.0...6.0.0

v5.4.2

Compare Source

Fixes

• fix(#​4917): downgrade js-yaml from v4.x to v3.14.x by @​yoshinorin in #​4932

Full Changelog: hexojs/hexo@5.4.1...5.4.2

v5.4.1

Compare Source

Fixes

• Fix js-yaml tags for v4.0.0+ (#​4869) by @​marcofranssen in #​4876

Full Changelog: hexojs/hexo@5.4.0...5.4.1

v5.4.0

Compare Source

New features

• feat: handle config.root is not exist @​jiangtj [#​4616]

Breaking change

• fix(excerpt): use span instead of anchor element for better SEO performance @​stevenjoezhang [#​4627]

Fixes

• fix(box): set property awaitWriteFinish for chokidar filewatcher @​stevenjoezhang [#​4633]
• fix(codeblock): match whitespace but not newlines @​stevenjoezhang [#​4625]
• fix(i18n): page.lang is undefined when using the key language in front-matter @​stevenjoezhang [#​4614]

Misc

• github: update actions/setup-node action to v2 @​stevenjoezhang [#​4604]
• chore/ci: migrate from probot/stale to GitHub Actions @​stevenjoezhang [#​4598]

Dependencies

• chore(deps): bump js-yaml from 3.14.1 to 4.0.0 @​dependabot-preview [#​4607]

v5.3.0

Compare Source

New features

• expose escape_html helper method for string manipulation to templates @​awwong1 [#​4581]
• list_tags: span element & custom class for label @​noraj [#​4578]

Fixes

• fix(load_plugins): ignore plugin whose name is started with "hexo-theme" @​stevenjoezhang [#​4592]
• fix(codeblock): closing code fence may be followed only by spaces @​stevenjoezhang [#​4574]

Refactor

• Replace process.mainModule with require.main @​stevenjoezhang [#​4583]

Docs

• docs(badge): replace david-dm with more reliable shields.io @​curbengh [#​4538]

v5.2.0

Compare Source

Changes

• perf(external_link): faster regexp @​SukkaW [#​4536]
  • prioritise http(s):// over //
• feat: support 'disableNunjucks' in front-matter @​curbengh [#​4518]
  • Enable this option to disable tag plugin
  • Setting this option in front-matter will override the same option set by the renderer (e.g. hexo-renderer-marked)

  ---
  title: foo
  date: 2020-01-02 03:04:05
  disableNunjucks: true|false
  ---

• fix: avoid escaping front-matter if unnecessary @​curbengh [#​4522]
  • using variable (e.g. {{ title }}) with special characters no longer result in double-quote wrap
• fix: validate value of config.url @​curbengh [#​4520]
  • config.url should starts with "http://" or "https://"
• fix(router): convert string to buffer in route stream @​ppoffice [#​4517]
  • fix crash in hexo generate --bail
• fix(disableNunjucks): query both async and sync versions of renderer @​curbengh [#​4498]
  • disableNunjucks option should now works reliably with synchronous renderer
• feat(load_plugin): ignore pkg name endswith theme name @​SukkaW [#​4497]
  • An initial effort to support scoped package

Housekeeping

• chore/ci: move benchmark & profiling to Actions @​SukkaW [#​4525] [#​4514] [#​4335]
  • Travis is now completely replaced by Actions (in this repo)
• chore: use example.com for example domain @​YoshinoriN [#​4512]

v5.1.1

Compare Source

Changes

• fix(filter/highlight): avoid escaping curly bracket when highlight & prismjs disabled @​curbengh [#​4489]
  • When both highlight.js and prismjs are disabled:

  # _config.yml
  highlight:
    enable: false
  
  prismjs
    enable: false

  • there was an issue that curly brackets { } are escaped &#​123; &#​125; mistakenly in the backtick_code_block.js filter. The fix is to avoid running that filter when code highlight is disabled.
  • Some users disable Hexo's default code highlight as they prefer to their own method.

v5.1.0

Compare Source

Features

• feat(highlight): parse 'caption' option to prismHighlight @​curbengh [#​4476]

  • caption is now available in prismjs:

  # _config.yml
  highlight:
    enable: false
  prismjs:
    enable: true

  • It can be used in triple backtick codeblock:

  ``` js caption
  console.log('foo')
  ```

  • above codeblock will be rendered as:
    (class attributes are omitted for brevity)

  <pre><div class="caption"><span>caption</span></div><code>console...</code></pre>

  • you can style the caption by:

  pre div.caption {
    font-size: 0.9em;
    color: #​888;
  }
  
  pre div.caption a {
    float: right;
  }

  • also available via codeblock and include_code tag plugins.

• fix: refactor post escape @​SukkaW [#​4472]

  • fixed issue with prismjs that, in some cases, did not remove hexo's processing tag properly

• Remove plugins option in config @​stevenjoezhang [#​4475]

  # _config.yml
  plugins:

  • plugins option has been deprecated long ago and it's now completely dropped
  • plugins should be saved in scripts/ folder or installed via npm package.json.

Performance

• perf(backtick_code): avoid duplicated escaping @​SukkaW [#​4478]

v5.0.2

Compare Source

Changes

• Revert "perf: avoid running plugins in 'clean' command" [#​4386] @​curbengh [#​4470]
  • This fixes error in hexo clean.

v5.0.1

Compare Source

Changes

• fix(helpers): call url_for from hexo-util @​curbengh [#​4447]
  • helpers are now accessible from APIs such as Injector
• perf(external_link): update regexp @​SukkaW [#​4467]
  • regex of external_link filter now pre-match external links, instead of solely rely on isExternalLink
• perf(injector): shorthand optimization @​SukkaW [#​4462]

v5.0.0

Compare Source

Breaking change

• refactor(external_link): migrate config during load_config @​SukkaW [#​4414] [#​4371]

  • See Writing section for new options (introduced back in v4)

  # _config.yml
  external_link: true|false # deprecated
  
  # New option
  external_link:
    enable: true|false

  # _config.yml
  # https://hexo.io/docs/configuration#Date-Time-format
  use_date_for_updated: true # deprecated
  
  # New option
  updated_option: date

  • If you check external_link for truthy value, since it's now automatically converted to object, it will be always truthy:

  <% if (config.external_link) { %>

  • If you wish to maintain backward compatibility with older Hexo versions:

  <% if ((typeof config.external_link === 'boolean' && config.external_link === true) || (typeof config.external_link === 'object' && config.external_link.enable === true)) { %>

• refactor(box): remove Bluebird.asCallback @​SukkaW [#​4379]

  • Callback syntax for Box is never documented nor utilized in Hexo's internal.
  • This is also a reminder that we might drop callbacks from all Hexo API in future. [#​3328]

• feat: bring up config.updated_option @​SukkaW [#​4278]

  • This can be useful for a theme that prefers to display Updated: only when it's set in the article's front-matter.

• feat(open_graph): drop 'keywords' option from front-matter @​curbengh [#​4174]

  • Search engines no longer support keywords.

• fix(#​3464): override permalink use the front-matter @​SukkaW [#​4359]

  • User config:

  # _config.yml
  permalink: :year/:month/:day/:title/

  • Front-matter

  ---
  title: foo bar
  permalink: breaking-news/
  ---

  • That post will be available on http://yourhexo.com/breaking-news/
  • A reminder that permalink must have a trailing .html or /

  permalink: :year/:month/:day/:title/ # default
  # or
  permalink: :year/:month/:day/:title.html

• Remove lodash from global variable @​SukkaW [#​4266]

  • Lodash _ is no longer available on Hexo API.

  // Dropped
  <% const arrayB = _.uniq(arrayA) %>

  • We encourage the use over native JS API over Lodash, we find this guide to be helpful.
  • If you prefer to use Lodash, you can always install it and make it available via Helper API

• chore/ci: drop Node.js 8 and add Node.js 14 @​SukkaW [#​4255]

  • Node 8 has reached EOL on 31 Dec 2019.
  • Hexo now requires Node 10+; although Node 10.x is still supported, but it's going to be officially deprecated in less than a year (April 2021), so we recommend Node 12+.

• refactor: remove site config from theme config @​SukkaW [#​4145]

  • Previously hexo.theme.config is merged into hexo.config, they are now separated to avoid possible conflict in configuration.

New feature

• feat(tag): show source of the error & beautify @​SukkaW [#​4420]
• feat(post_link): better error message when a post could not be located [#​4426]
  • The error message is now clearer when there is an incorrect filename.
• skip assets of unpublished posts and delete them if exist @​DaemondShu [#​3489]
  • When there is an unpublished post:

  ---
  title: Still a draft....
  published: false
  ---

  • That post including its assets will not be generated into the public/ folder.
• feat(extend/injector): bring up new extend Injector @​SukkaW [#​4049]
  • Refer to the API documentation for usage.
• feat: add prism highlight support @​SukkaW [#​4119]
  • Refer to the documentation for usage.
• feat(tagcloud): new option class & level @​stevenjoezhang [#​4370]
  • Ability to add class name for CSS styling.
• feat(config): validate config before processing posts @​SukkaW [#​4381]
• feat(post_permalink): add :second attribute option for post permalink @​kkocdko [#​4185]
  • Example:

  permalink: :year/:month/:day/:hour/:minute/:second/:title.html

  • Refer to Permalinks for available attributes.
• feat(youtube_tag): add cookie option @​curbengh [#​4155]
  • When disabled, cookie is not set/sent in the youtube video embed.
• feat(youtube_tag): support playlist @​SukkaW [#​4139]
  • Ability to embed a playlist.
• feat(load_theme_config): support alternate theme config @​SukkaW [#​4120]
  • Theme can be configured in a file _config.[name].yml, e.g. _config.landscape.yml for hexo-theme-landscape.
  • Placed the file in the root folder, same as the current _config.yml.
  • Refer to the documentation for configuration priority.
• feat(feed_tag): support parsing config.feed @​curbengh [#​4029]
  • Better integration with hexo-generator-feed.
• feat(tag): add unregister() method @​SukkaW [#​4046]
  • This means you can now unregister existing tag plugins and replace it with your own with the same name.
• feat(filter): add _after_html_render filter @​jiangtj [#​4051]
  • perf(filter): set after_render:html as alias of _after_html_render @​curbengh [#​4073]
  • Existing after_render:html filter plugins automatically benefit from this improvement.
• feat(load_config): support theme_dir in node_modules @​SukkaW [#​4112]
• fix(list_tags): custom class for each element @​noraj [#​4059]
  • Customize the class name for each element <ul>, <li>, <a>, <span> for list_tags plugin.

Performance

• perf(tag): rendering optimization @​SukkaW [#​4418]
• perf(external_link): faster regexp & condition shorthand @​SukkaW [#​4436]
• perf(external_link): optimize regex @​SukkaW [#​4008]
• perf(filter): shorthand syntax @​SukkaW [#​4377]
• perf(backtick_code): shorthand @​SukkaW [#​4369]
• perf: avoid running irrelevant plugins in 'clean' command @​curbengh [#​4386]
  • To maintain compatibility with third-party console plugins, this only applies to hexo clean, not hexo c alias.
• perf(titlecase): lazy require @​SukkaW [#​4417]
• perf(tag/code): performance improvements @​SukkaW [#​4416]
• perf(post): simplify codeblock escape @​SukkaW [#​4254]
• perf(meta_generator): avoid unnecessary check @​SukkaW [#​4208]
• perf(external_link): cache config @​SukkaW [#​4134]
• perf(open_graph): avoid using htmlTag() and enhance cache @​SukkaW [#​4125]
• refactor(list_archives): reduce calls to date.format() @​dailyrandomphoto [#​4011]
• fix(moment.locale): avoid lookup repeatedly with the wrong names @​dailyrandomphoto [#​4007]

Fix

• fix(box): ignore .git and node modules in the theme folder @​jiangtj [#​4306]
• fix: allow empty title @​stevenjoezhang [#​4344]
• fix(#​4236): don't create "/index" directories when post_asset_folder is true @​jiangtj [#​4258]
• fix(#​4317): non-greedy regexp for tag escape @​SukkaW [#​4358]
• fix(post): use non-greedy regular expressions @​stevenjoezhang [#​4161]
• fix(post): properly escape swig tag inside post @​SukkaW [#​4352]
  • swig tag inside a single backtick is now interpreted as code embed.

  • `{% foo %}{{ bar }}{% endfoo %}`

• fix(logging): log database only in relevant commands @​curbengh [#​4387]
  • Writing database to ${dbPath}/db.json message shouldn't show up in hexo clean and hexo version.
• fix(server-cache): must match exact alias @​curbengh [#​4388]
  • Improve compatibility with 3rd-party console plugins that may have a name that starts with an 's'.
• fix(tag-code): parse 'wrap' option @​curbengh [#​4391]
  • highlight.wrap option in user config is now properly passed to the codeblock tag plugin
• fix: remove unused type check @​Himself65 [#​4398]
• fix: access error code from error object directly @​SukkaW [#​4280]
  • Improve compatibility with native JS API
• fix: load_plugin with extra line EOF @​SukkaW [#​4256]
• fix: parsing code error in backticks @​seaoak [#​4229]
• fix(toc_helper): escape class name and handle null id @​curbengh [#​4009]
• fix(meta_generator): match existing <meta> with different order @​SukkaW [#​4017]
• fix(excerpt): stricter regex @​curbengh [#​4443]
  • Now only the following variants of excerpt tag are valid.
  1. <!--more-->
  2. <!-- more-->
  3. <!--more -->
  4. <!-- more -->

Refactor

• refactor(meta_generator): no longer ignore empty @​SukkaW [#​4442]
• refactor(external_link): migrate config during load_config @​SukkaW [#​4414]
• Reduce array#reduce @​segayuu [#​4299]
• Correct using createSha1Hash() with pipe() @​seaoak [#​4323]
• refactor(post): reduce promise @​SukkaW [#​4337]
• refactor: simplify code @​2997ms [#​4408]
• refactor(external_link): filter regexp @​segayuu [#​4412]
• refactor(hexo): merge theme_config before generation @​SukkaW [#​4360]
• refactor(nunjucks): dedicated nunjucks renderer @​SukkaW [#​4356]
• refactor: drop hexo-util#HashStream @​SukkaW [#​4279]
• refactor(toc): avoid using htmlTag @​SukkaW [#​4183]
• refactor(hexo_index): remove unused parameter @​curbengh [#​4153]
• Refactor(class): Replace prototype to class syntax @​segayuu [#​4151]
• refactor: copy object with spread operator @​SukkaW [#​4140]
• refactor: simplify code @​Himself65 [#​4138]
• refactor: utilize Object.entries @​SukkaW [#​4118]
• refactor: utilize hexo-util pr-169 @​SukkaW [#​4045]
• refactor(hexo/index): use Set @​SukkaW [#​4013]
• refactor: Class syntax @​SukkaW [#​4100]
• refactor(helper): minor changes @​SukkaW [#​4061]
• style: space for asyncArrow @​SukkaW [#​4102]
• Reduce stream @​segayuu [#​4333]

Dependencies

• chore(deps): update hexo-front-matter from 1.0.0 to 2.0.0 @​SukkaW [#​4439]
• chore(deps): update hexo-util from 1.9.0 to 2.2.0 [#​4276] [#​4438]
• chore(deps): bump hexo-log from 1.0.0 to 2.0.0 [#​4392]
• chore(deps-dev): bump hexo-renderer-marked from 2.0.0 to 3.0.0 [#​4390]
• chore(deps-dev): bump mocha from 6.2.2 to 8.0.1 [#​4060] [#​4354]
• Update tester node version @​segayuu [#​4324]
• chore(deps-dev): bump eslint from 6.8.0 to 7.0.0 [#​4301]
• chore(deps): bump warehouse from 3.0.1 to 4.0.0 [#​4077] [#​4322]
• chore(deps-dev): bump lint-staged from 9.5.0 to 10.2.0 [#​4283]
• chore(deps): bump hexo-fs from 2.0.0 to 3.0.1 [#​4277]
• chore(deps-dev): bump sinon from 7.5.0 to 9.0.2 [#​4005] [#​4232]
• chore(deps-dev): bump husky from 3.1.0 to 4.2.5 [#​4235]
• chore(deps): bump chalk from 3.0.0 to 4.0.0 [#​4215]
• chore(deps-dev): bump nyc from 14.1.1 to 15.0.0 [#​4003]

Misc

• refactor: port shell script to javascript @​Himself65 [#​4405]
• refactor(console/generate): class & destructure assign @​SukkaW [#​4338]
• Fix not to pass callback to hexo-fs @​segayuu [#​4339]
• style: es6 string extensions & destructure @​SukkaW [#​4357]
• Migrate Travis and Appveyor tp GitHub Actions
  • ci(appveyor): drop appveyor @​SukkaW [#​4402]
  • chore: add release release-drafter (#​3858) @​YoshinoriN [#​4165]
  • ci: add GitHub Actions to run linter @​Himself65 [#​4143]
  • ci(travis): remove Windows @​curbengh [#​4076]
  • ci(github_actions): Create tester job @​segayuu [#​4169]
  • Move coveralls from travis to github actions @​segayuu [#​4326]
• ci(benchmark): generate flamegraph @​SukkaW [#​4000]
• ci(flamegraph): fix 0x @​SukkaW [#​4116]
• Fix issues found by lgtm.com
  • fix(console_generate): remove unnecessary boolean-to-object conversion @​curbengh [#​4152]
  • fix: remove useless conditions @​curbengh [#​4147]
  • fix: return callback if called @​curbengh [#​4178]
• refactor(benchmark): minor changes @​SukkaW [#​4411]
• github(issue_template): add special notice @​SukkaW [#​4348]
  • add mandarin issue template

Test

• test(benchmark): optimize for local & render post support @​SukkaW [#​4428]
• perf(mocha): run tests in parallel @​curbengh [#​4374]
• refactor(test): async hexo/load_config.js @​segayuu [#​4340]
• test(#​4087): add related cases @​SukkaW [#​4364]
• test(post): add test cases for [#​3543] & [#​3459] @​SukkaW [#​4361]
• test(generate): add a small delay before clean up @​SukkaW [#​4393]
• test(#​4385): no double escape in code block @​SukkaW [#​4395]
• test(generate): add a longer delay after fs#unlink @​SukkaW [#​4400]
• test: coverage improvements @​SukkaW [#​4270] [#​4421] [#​4422]
• test(box): fix test cases for macOS @​stevenjoezhang [#​4269]
• test(load_plugins): make sure file is created @​SukkaW [#​4265]
• test(post): adding extra test cases @​SukkaW [#​4238]
• test(load_plugins): minor changes @​SukkaW [#​4212]
• test(post): fix cases added in #​4161 @​SukkaW [#​4162]
• test(tags-plugins/helper): improve test coverage @​SukkaW [#​4014]
• style(test-helper-is): asyncArrow space @​SukkaW [#​4015]
• test: improve coverage @​SukkaW [#​4050]
• test(load-database): fix EPERM error in windows @​curbengh [#​4069]
• test: useful sinon.assert @​segayuu [#​4164]
• test: replace from rewire to sinon.stub() @​segayuu [#​4157]
• refactor test @​segayuu [#​4115]
  • simplify unit test

v4.2.1

Compare Source

Fix

• Fix compatibility with Node 14 [#​4285]

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.