Skip to content

[Snyk] Fix for 1 vulnerabilities#11

Open
snyk-bot wants to merge 1 commit into
masterfrom
snyk-fix-6b7675ab1beb1542acdf624d12b3f3ae
Open

[Snyk] Fix for 1 vulnerabilities#11
snyk-bot wants to merge 1 commit into
masterfrom
snyk-fix-6b7675ab1beb1542acdf624d12b3f3ae

Conversation

@snyk-bot
Copy link
Copy Markdown

@snyk-bot snyk-bot commented Dec 7, 2020

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 551/1000
Why? Recently disclosed, Has a fix available, CVSS 5.3		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-HIGHLIGHTJS-1048676		 Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: hexo-cli The new version differs by 208 commits.
  • 737b96e Merge pull request #195 from curbengh/4.0.0
  • d454da5 release: 4.0.0
  • b8ecb86 chore: requires Node 10.13+
  • 9dbfead chore(deps-dev): bump eslint from 7.4.0 to 7.5.0 (#221)
  • 64a8ba6 merge(#223): from curbengh/gh-action
  • 32da61c docs: add git submodule instruction
  • 2db127e ci: add GitHub Actions
  • 639662e chore(deps): bump hexo-util from 2.0.0 to 2.1.0 (#196)
  • 49a7252 chore(deps): bump hexo-fs from 3.0.1 to 3.1.0 (#201)
  • 9ae7f2c chore(deps-dev): bump eslint from 7.2.0 to 7.4.0 (#219)
  • ceaf1fc chore(deps): bump acorn from 7.2.0 to 7.3.1 (#210)
  • c567236 chore(deps): [security] bump lodash from 4.17.14 to 4.17.19 (#220)
  • 4c7babf chore(deps): bump hexo-log from 1.0.0 to 2.0.0 (#217)
  • 02e8273 chore(deps-dev): bump hexo-renderer-marked from 2.0.0 to 3.0.0 (#216)
  • 2b07acb fix(permission): caused by #200 (#213)
  • 7407649 chore(deps): bump chalk from 4.0.0 to 4.1.0 (#208)
  • 6506e26 chore(deps-dev): bump nyc from 15.0.1 to 15.1.0 (#205)
  • ce3ed5f chore(deps-dev): bump eslint from 7.0.0 to 7.2.0 (#207)
  • b43f94a chore(deps): remove acorn (#211)
  • af92881 fix(init): init error with a number target project name (#200)
  • a6d44ce chore(deps-dev): bump mocha from 7.2.0 to 8.0.1 (#209)
  • f518198 feat: detailed information for `hexo not found` (#206)
  • 1acb025 chore(deps-dev): bump mocha from 7.1.2 to 7.2.0 (#203)
  • 71debfb chore(deps): bump acorn from 7.1.1 to 7.2.0 (#198)

See the full diff

Package name: hexo-util The new version differs by 250 commits.
  • f90fd44 Merge pull request #197 from curbengh/2.0.0
  • c5caf2c release: 2.0.0
  • b990b8f refactor: drop Node.js 8 (#191)
  • 20a3c1b Merge pull request #196 from curbengh/sublang-highlight
  • 022266f docs(highlight): warn 'autoDetect' usage
  • 1f3e562 docs(highlight): 'sublanguage highlight' requirement
  • efe1fec fix: avoid overriding Transform.destroy() method (#195)
  • 1b3aa01 chore(deps): bump highlight.js from 9.18.1 to 10.0.0 (#192)
  • 31f74a5 ci(travis): drop Node 8 and add Node 14 (#193)
  • 5b14fd2 chore(deps-dev): bump rewire from 4.0.1 to 5.0.0 (#187)
  • 48788a7 docs: add isExternalLink JSDoc (#190)
  • 595aaab Merge pull request #182 from YoshinoriN/1.9.0
  • 2496d1f Merge pull request #183 from SukkaW/fix-is-external-filter
  • 771f8ba fix(prism): add strip_indent support (#184)
  • e81733c Merge pull request #185 from YoshinoriN/add-release-drafter
  • 24c4f37 chore: add release release-drafter
  • 544a6f6 Merge pull request #175 from curbengh/tocobj-child
  • 38a0e5f fix(tocobj): parse permalink if no text
  • 6f796aa fix(tocObj): return empty string
  • 6b18598 fix(tocObj): skip permalink symbol
  • 2a9a5ba perf(is_ecternal_link): absolute url detection
  • 7e5633a fix(highlight): make highlight more robust (#171)
  • 8615f15 refactor(toc_obj): simplify the code (#181)
  • 12bdb3a fix(is_external_link): handle invalid url

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

@snyk-bot
fix: package.json to reduce vulnerabilities
263cef7 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-HIGHLIGHTJS-1048676
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@snyk-bot