[Snyk] Upgrade hexo from 4.0.0 to 4.2.0

[snyk-bot]

Snyk has created this PR to upgrade hexo from 4.0.0 to 4.2.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 3 versions ahead of your current version.
• The recommended version was released 3 months ago, on 2019-12-22.

Release notes

Package name: hexo

• 4.2.0 - 2019-12-22
  

  Features

  • Caching is disabled by default in hexo-server [#3963]
    • It's disabled so that any changes (particularly to the theme's layout) can be previewed in real-time.
    • If you use hexo-server in production environment to serve your website, it can be enabled by,

    _config.yml
    server:
      cache: true

  • Add min_depth: option to toc() helper [#3997]
    • Example usage:

    <%- toc(page.content, { min_depth: 2 }) %>
    // table of content would only include <h2>, <h3> and above

  Fixes

  • Merges similar theme configs in main config and theme's config [#3967]
    • For example:

    _config.yml
    theme_config:
      a:
        b: 'foo'

    • Plus,

    _config.yml of theme
    a:
      c: 'bar'

    • theme variable should have,

    a: {
      b: 'foo',
      c: 'bar'
    }
    

  • Fixes some caching issue [#3985]
  • Open Graph now applies all pretty_urls options to og:url tag [#3983]

  Refactor

  • No longer uses lodash [#3969], [#3987], [#3753]

    • Lodash _ is still available as a global variable, usually utilized in theme layout.
    • However, we plan to completely drop it in the coming Hexo 5.0.0
    • This project page includes all the relevant pull requests which you may find useful

  • Completely drops cheerio [#3850], [#3677]

    • This means Hexo no longer includes cheerio as part of its production dependencies (it's still a development dependency)
    • This also means the following initialization methods no longer work,

    const cheerio = require('./node_modules/hexo/node_modules/cheerio/index')
    const cheerio = require('./node_modules/cheerio/index')

    • To use cheerio,

    $ npm install --save cheerio

    const cheerio = require('cheerio')

• 4.1.1 - 2019-12-12
  

  Feature

  • Add trailing_html: to pretty_urls: option to remove ".html" from url [#3917]
    • Use the following config to remove the trailing ".html" from permalink variables

    _config.yml
    pretty_urls:
      trailing_html: false

    • Example: https://yoursite.com/page/about.html -> https://yoursite.com/page/about

  Fixes

  • Set default locales (in "language_TERRITORY" format) for og:locale Open Graph tag [#3921]
    • Previously og:locale was inserted only if language: is configured in "language-TERRITORY" format
    • With this fix, if the language is "en", og:locale will default to "en_US". Refer to the pull request for the full list.
  • meta_generator() helper should output the correct Hexo version [#3925]
  • permalink_defaults: option should be parsed, not replaced [#3926]
  • "node_modules/" and ".git/" folders in themes/ are now always ignored [#3918]

  Refactor

  • Further reduces lodash usage [#3880]
• 4.1.0 - 2019-12-09
  

  Breaking change

  • Requires Node 8.10 or above [#3778]
    • Node 8 is going to be deprecated in less than a month, we strongly urge to upgrade to Node 10 or newer
  • og:locale Open Graph tag won't be inserted if language: (in config, front-matter of post/page or open_graph() helper) is not in language-TERRITORY format [#3808]
    • en is invalid
    • en-GB is valid
    • Not all locales are supported (e.g. en-AU is not valid), see official list
    • Dash (e.g. "en-GB") must be used for multilingual support, dash is automatically transformed to underscore (e.g. "en_GB") in og:locale
    • Verify the corresponding file exists in the languages/ folder of installed theme before changing the language: config

  Features

  • Support adding hour and minute to post permalink [#3629]
    • Example usage:

    _config.yml
    permalink: :year/:month/:day/:hour/:minute/:title/

    • Results in https://yoursite.com/2019/12/09/23/59/a-post/
  • Insert article:published_time [#3674] article:author [#3805] Open Graph tags
  • Enable lazyload in iframe-related tag plugins [#3798]
    • Affects iframe, jsfiddle, vimeo, youtube tag plugins
    • Requires supported browsers to benefit from this feature
    • Unsupported browsers would simply ignore the attribute, thus it is safe to use and always enabled
  • meta_generator helper to insert metadata element tag [#3782]
    • Example usage:
    • Insert the following snippet (if EJS is used) inside <head> element of your theme layout,

    <%- meta_generator() %>

    • would output <meta name="generator" content="Hexo 4.1.0">
    • Hexo 3.9.0+ inserts the tag automatically; to get the performance benefit (of the meta_generator helper), meta_generator: option should be disabled,

    _config.yml
    meta_generator: false

  • Support custom attributes in js() [#3681] and css() [#3690] helpers
    • Example usage:

    <%- js({ src: 'script.js', integrity: 'foo', async: true }) %>
    // <script src="/script.js" integrity="foo" async></script>
    <%- css({ href: 'style.css', integrity: 'foo' }) %>
    
    // <link rel="stylesheet" href="/style.css" integrity="foo">

  • Support wrap: option to enable/disable wrapping backtick codeblock in <table> element [#3827]
    • Enabled by default, enabling line_number also enables it
    • Configure in highlight:

    _config.yml
    highlight:
      line_number: false # must be disabled to disable wrap:
      wrap: false

    • This option also can be passed to codeblock() tag plugin [#3848]

    {% codeblock lang:js wrap:false %}
    const foo = (bar) => {
      return bar;
    };
    {% endcodeblock %}

  Fixes

  • Retain blank lines in a codeblock attached in blockquote [#3770]
  • Replaced deprecated og_updated_time Open Graph tag with article:modified_time [#3674]
  • Replaced deprecated keywords Open Graph tag with article:tag [#3805]
  • meta_generator tag should be inserted into <head> that spans multiple lines [#3778]
  • No longer clear database db.json when running hexo new or hexo --help [#3793]
  • Completely ignore files/folders specified in ignore: option [#3797]
    • If you're using Webpack or related tools in your theme, the node_modules folder could cause some issues
    • A temporary workaround is to configure Hexo to ignore that folder,

    _config.yml
    ignore: '**/themes/*/node_modules/**'

    • The workaround will no longer be necessary in future version
  • jsfiddle, vimeo and youtube tag plugins now use https only [#3806]
  • external_link filter should not process data URLs (e.g. mailto: & javascript:) [#3812] and <article> element [#3895]
  • Prevent unnecessary insertion of front-matter when using alias in Hexo CLI [#3830]
    • -p is alias of --path
    • -s is alias of --slug
    • -r is alias of --replace
  • Applies include: and exclude: options to post's asset folder [#3882]
  • ignore: option should work for files, in addition to folders [#3878]

  Housekeeping

  • Add FOSSA license analyzer for open-source software license compliance [#3779]
  • Run benchmark in CI to catch regression [#3776]
  • Further reduces lodash usage [#3786], [#3788], [#3790], [#3785], [#3809], [#3791], [#3810], [#3826], [#3867], [#3845]
  • Remove unnecessary file at the end of unit test [#3792]
  • Add funding source to npm [#3851]
  • Update bump strip-ansi from 5.2.0 to 6.0.0 [#3852]
  • Update chalk from 2.4.2 to 3.0.0 [#3853]
• 4.0.0 - 2019-10-16
  

  Breaking change

  • chore: drop Node 6 #3598
  • fix post_link, asset_link when title contains unescaped html charaters #3704
    • Affects asset_link, post_link tag plugins
    • If you want to retain unescaped characters, set false to the final argument {% asset_link 'filename 'title' 'false' %}
  • fix: encode permalink by default #3708
    • If you currently use encodeURI(post.permalink) (including permalink of page, tag & category variables), there are three options:
      1. Use encodeURI(decodeURI(post.permalink)) for backward-compatibility with hexo v3.9 (and older)
      2. Use encodeURL() function provided by hexo-util, it is backward-compatible
      3. Drop encodeURI() function, this breaks backward-compatibility
    • If you want to use the variables in decoded form,
      • Use decodeURI(post.permalink)
      • decodeURL() of hexo-util can decode punycoded domain.
    • This change does not apply to this.url variable.
  • fix(paginator): add escape option for compatibility with [email protected] #3728
    • Theme devs, if you customize prev_text/next_text with html (e.g. to insert icons), you need to set escape: false in the parameter.

  Feature

  • feat(filter): use existing excerpt if possible #3612

    • Support excerpt: in front-matter

  • switch minimatch to micromatch #3538

    • Refer to micromatch docs for advanced globbing

  • feat: add option to disable meta generator tag #3653

    • Add meta_generator: false to config to disable

  • feat(generator): allow limit parallel generation #3665

    • If you experience "Out of memory" issue, try lowering the value in hexo g --concurrency <number>

  • Option to use date instead of file mtime for updated date #3235

    • If you prefer not to use file modification time in the post.updated variable, set use_date_for_updated: true in config

  • feat(list_tags): add Schema "keywords" and Microdata "tag" #3678

  • feat(permalink_variable): add pretty_urls option to remove index.html from url #3691

    • Use the following config to remove the trailing index.html from permalink variables

    pretty_urls:
      trailing_index: false

    • Does not apply to this.url variable (see #3661).
    • Should be compatible with existing canonical-related plugins, recommend plugin and theme devs to test

  • feat: add full_url_for helper #3701

    • use this helper full_url_for(page.path) instead of config.url + page.path

  • fix: external_link should use after_render #3675

    • added field and exclude options, see #3675 for guide.

  Performance

  • perf(meta_generator): drop cheerio #3671
  • perf(open_graph): drop cheerio and use regex #3680
  • perf(external_link): drop cheerio and use regex #3685
  • perf(cache): enforce caching across modes #3756

  Fix

  • fix: set english as default #3654
  • Use filename when title is not specified in the front-matter #3672
  • fix: ignore categories / tags with zero posts #3624
  • fix(open_graph): remove index.html from url #3661
  • fix(open_graph): remove duplicate twitter card tags #3668
  • fix(helpers, tag plugins): encode url by default #3710
    • Refer to #3708 for guide on decoding.
  • fix(open_graph): percent-encode url, not html escape #3686
  • fix: Allow backtick code block in "blockquote" tag plugin #2321
  • fix: Correct processing of backtick code block on blockquote #3765
  • fix: prevent inserting extra new line character into the end of backtick code block #3768

  Dependency

  • chore(deps): update tildify requirement from ^1.2.0 to ^2.0.0 #3541
  • chore(deps): update strip-indent requirement from ^2.0.0 to ^3.0.0 #3534
  • chore(deps-dev): update husky requirement from ^1.1.3 to ^3.0.0 #3608
  • chore(deps-dev): update eslint requirement from ^5.9.0 to ^6.0.1 #3606
  • chore(deps-dev): update lint-staged requirement from ^8.1.0 to ^9.1.0 #3615
  • chore: update to [email protected] and [email protected] #3646
  • chore(deps): update hexo-i18n requirement from ^0.2.1 to ^1.0.0 #3698
  • chore(deps): update hexo-fs requirement from ^1.0.0 to ^2.0.0 #3699
  • chore(deps): update hexo-front-matter requirement from ^0.2.3 to ^1.0.0 #3700
  • chore(deps): update hexo-log requirement from ^0.2.0 to ^1.0.0 #3730
  • chore(deps): update warehouse requirement from ^2.2.0 to ^3.0.0 #3736
  • chore(deps): bump hexo-cli from 2.0.0 to 3.0.0 #3743

from hexo GitHub release notes

Commit messages

Package name: hexo

• c0bf222 Merge pull request #4001 from curbengh/4.2.0
• b330adb release: 4.2.0
• 3d80619 Merge pull request #3996 from SukkaW/utilize-hexo-util-cache
• a4a3f82 Merge pull request #3997 from SukkaW/toc-min-depth
• 0cfb532 feat(toc_helper): add min_depth option
• c361e84 test(toc_helper): refactor
• aed8240 test(locals): use cache syntax
• c6e6e6b refactor(locals): utilize hexo-util's Cache()
• 09316c2 refactor(console/generate): utilize hexo-util
• a381dda refactor(toc_helper): utilize hexo-util (#3850)
• 04d34a7 Merge pull request #3983 from curbengh/og-pretty-urls
• 56593ca refactor(fragment_cache): utilize hexo-util (#3994)
• 859bf77 test(open_graph): encodeURL link
• 678d7c8 fix(open_graph): incorrect usage of config.url
• a9b3b32 fix(open_graph-helper): pass all pretty_urls options
• 3b58c63 test(benchmark): skip checking completion time in hot processing (#3993)
• 9b49688 refactor: destructure modules (#3992)
• 91e5c32 Merge pull request #3945 from curbengh/deployer-class
• 4c86aac Merge pull request #3991 from SukkaW/bump-hexo-util-1.8.0
• 810a2d6 chore(deps): bump hexo-util to 1.8.0
• 1ccc292 refactor(theme/view): faster assignIn (#3987)
• fa59eb2 Merge pull request #3981 from curbengh/hexo-locals-class
• 5a503ff Merge pull request #3986 from curbengh/chain-assignment
• 3808441 style: assign to this.variable

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs