wololock.github.io icon indicating copy to clipboard operation
wololock.github.io copied to clipboard

Published 20 hours ago verified publisher icon wololock

[Snyk] Security upgrade hexo from 5.2.0 to 7.2.0

Open wololock opened this issue 4 months ago • 0 comments

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Directory Traversal
SNYK-JS-HEXO-5889980		 Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: hexo The new version differs by 215 commits.
  • 90b107c release: 7.2.0 (#5453)
  • 4fec0e0 test: add test case for issue #4334 (#5465)
  • 43fcce3 ci: suppress comment err and reduce benchmark running (#5454)
  • b5b63ca fix(tag/include_code): prevent path traversal (#5251)
  • cefee92 chore(deps): bump hexo-fs from ^4.1.1 to ^4.1.3 (#5463)
  • b6ebbca fix(categories,tags): revert behavior of locals.tags and locals.categories (#5388)
  • 80dafe2 refactor: backslashes on Windows (#5457)
  • 94f6ad3 fix(tag): use url_for (#5385)
  • d7ad401 feat(highlight): add an option to switch stripIndent (#5427)
  • a3b9638 refactor: migrate typescript (#5430)
  • 3c7729d refactor: migrate typescript (#5417)
  • 7ef26ad fix(tag/post_link): support url with subdir (#5419)
  • 6cf6993 test: fix typos (#5426)
  • 6bf9e6c chore: make callback on exit optional (#5421)
  • bc53720 docs(README): Update Sponsors images (#5410)
  • 1b569a8 chore(deps-dev): Limited `@ types/node` version (#5411)
  • ee4bc8e refactor: refactor types (#5398)
  • bb489cb release: 7.1.1 (#5405)
  • b6de85a fix(escapeTags): escape tag which includes line break (#5402)
  • e67c1f1 chore: use `prepublishOnly` instead of `prepublish` and run `npm install` in `prepublishOnly` script (#5399)
  • 282e49a release: 7.1.0 (#5397)
  • c1c5aaa fix(escapeAllSwigTags): check tag completeness (#5395)
  • 86350d9 refactor: refactor types (#5344)
  • 6a91fb6 fix: permalink should be overwritten when post_asset_folder is true (#5254)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Directory Traversal

wololock avatar Apr 19 '24 04:04 wololock