Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[Snyk] Upgrade metalsmith from 2.3.0 to 2.6.3 #8

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Upgrade metalsmith from 2.3.0 to 2.6.3 #8

wants to merge 1 commit into from

Conversation

InfiniteLove2020
Copy link
Owner

snyk-top-banner

Snyk has created this PR to upgrade metalsmith from 2.3.0 to 2.6.3.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 10 versions ahead of your current version.

  • The recommended version was released on 7 months ago.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908		 696 Proof of Concept
high severity Uncontrolled resource consumption
SNYK-JS-BRACES-6838727		 696 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-GLOBPARENT-1016905		 696 Proof of Concept
medium severity Missing Release of Resource after Effective Lifetime
SNYK-JS-INFLIGHT-6095116		 696 Proof of Concept
Release notes
Package name: metalsmith
  • 2.6.3 - 2024-03-05

    Removed

    • Drops support for Node < 14.18.0 (4 minor, deprecated versions) to be able to use 'node:' protocol imports" b170cf0

    Updated

    • Updated README.md code samples, links, and troubleshooting section
    • Dependencies: 774a164
      • chokidar: 3.5.3 ▶︎ 3.6.0

    Fixed

    • Fixes ms.watch(false) unreliable behavior when the build errors. 0d8d791
  • 2.6.2 - 2023-11-15
    • TS fixes: add generic to Metalsmith.File, bring back Metalsmith.DoneCallback, add Metalsmith.Plugin promise signature 3ae6275
    • #394 Avoid leaking unhandled rejections in build/watch promises. cac48fc, 5b48dce
    • Fix a typo in CLI help message 642a176
  • 2.6.1 - 2023-07-11
    • 34239d9 Documents metalsmith.watch() getter signature in TS
    • a719025 Normalizes ms.watch().paths to an array, allows access to a subset of chokidar options as advertised
    • 5a516b2 Sets chokidar watchOption awaitWriteFinish to false, and batch timer to 0 to speed up watching
    • 23b0944 Fixes #389: ensure not missing watcher ready event to successfully launch build
    • 05265ce Fixes formatting issue in types JSdoc comments
  • 2.6.0 - 2023-05-29

    Added

    • [#356] Added Typescript support 58d22a3
    • Added --debug and --dry-run options to metalsmith (build) command 2d84fbe
    • Added --env option to metalsmith (build) command 9661ddc
    • Added Metalsmith CLI support for loading a .(c)js config. Reads from metalsmith.js as second default after metalsmith.json 45a4afe
    • Added support for running (C/M)JS config files from CLI 424e6ec
    • Dependencies:

    Removed

    • #231 Dropped support for Node < 14.14.0 80d8508
    • Dependencies:
      • rimraf: replaced with native Node.js methods ae05945
      • cross-spawn: baee1de

    Updated

    • Modernized Metalsmith CLI, prepared transition to imports instead of require 24fcffb 4929bc2
    • Dependencies:

    Fixed

    • Fixes a duplicate empty input check in metalsmith.match 60e173a
    • Gray-matter excerpts are removed from contents instead of being duplicated to the excerpt property 2bfe800
    • Gray-matter excerpts are trimmed acb363e

    Full Changelog: v2.5.1...v2.6.0

  • 2.5.1 - 2022-10-07
    • Dependencies: 774a164
      • debug: 4.3.3 ▶︎ 4.3.4
    • Clarified semver policy in README.md
    • Added SECURITY.md

    Fixed

    • Fixes #373: do not crash when postinstall script fails in specific environments
  • 2.5.0 - 2022-06-10

    Important note to metalsmith-watch users:
    Although 2.5.0 is a semver-minor release, it breaks compatibility with metalsmith-watch, which relies on the Metalsmith < 2.4.x private method signature using the outdated unyield package. See issue #374 for more details.

    Added

    • #354 Added Metalsmith#env method. Supports passing DEBUG and DEBUG_LOG amongst others. Sets CLI: true when run from the metalsmith CLI. b42df8c, 446c676, 33d936b, 4c483a3
    • #356 Added Metalsmith#debug method for creating plugin debuggers
    • #362 Upgraded all generator-based methods (Metalsmith#read,Metalsmith#readFile,Metalsmith#write,Metalsmith#writeFile, Metalsmith#run and Metalsmith#process) to dual callback-/ promise-based methods 16a91c5, faf6ab6, 6cb6229
    • Added org migration notification to postinstall script to encourage users to upgrade 3a11a24

    Removed

    • #231 Dropped support for Node < 12 0a53007
    • Dependencies:
      • thunkify: replaced with promise-based implementation faf6ab6
      • unyield replaced with promise-based implementation faf6ab6
      • co-fs-extra: replaced with native Node.js methods faf6ab6
      • chalk: not necessary for the few colors used by Metalsmith CLI 1dae1cb
      • clone: see #247 a871af6

    Updated

    • Restructured and updated README.md 0da0c4d
    • #247 Calling Metalsmith#metadata no longer clones the object passed to it, overwriting the previous metadata, but merges it into existing metadata.

    Fixed

    • #355 Proper path resolution for edge-cases using CLI, running metalsmith from outside or subfolder of metalsmith.directory()5d75539
  • 2.4.3 - 2022-05-16

    Updated

    • Dependencies: 774a164
      • micromatch: 4.0.4 ▶︎ 4.0.5
    • Updated README.md

    Fixed

  • 2.4.2 - 2022-02-13

    Updated

    • Dependencies: af9dec0
      • chalk: 3.0.0 ▶︎ 4.1.2
    • Updated README.md

    Fixed

    • Fixed Metalsmith JSDoc type hints in VS code ebf82f4
  • 2.4.1 - 2022-01-31

    Fixed

    Bugfix: include index.js in package.json files

    Unfortunately release 2.4.0 missed the index.js file and was only usable by doing require('metalsmith/lib'). For this reason the release notes from 2.4.0 are re-included below:

    Added

    • #338 Added Metalsmith#match method. Plugins no longer need to require a matching library 705c4bb, f01c724
    • #358 Added TS-style JSdocs 828b17e
    • Use native fs.rm instead of rimraf when available (Node 14.4+) fcbb76e, 66e4376
    • #226 Allow passing a gray-matter options object to Metalsmith#frontmatter a6438d2
    • Modernized dev setup ef7b781
    • Added 8 new tests (match method, front-matter options, path & symbolic link handling)
    • Files object file paths are now guaranteed to be sorted aphabetically. 4eb1184
    • #211 Metalsmith#build now returns a promise which you can attach a then/catch to or await. The build callback model is still available. 6d5a42d

    Removed

    Updated

    • Dependencies: 75e6878

      • chalk: 1.1.3 ▶︎ 3.0.0
      • gray-matter: 2.0.0 ▶︎ 4.0.3
      • stat-mode: 0.2.0 ▶︎ 1.0.0
      • rimraf: 2.2.8 ▶︎ 3.0.2
      • ware: 1.2.0 ▶︎ 1.3.0
      • commander (used in CLI): 2.15.1 ▶︎ 6.2.1
      • win-fork (used in CLI): replaced with cross-spawn:7.0.3

    • Updated CHANGELOG.md format to follow “Keep A Changelog” (#266) (@ Zearin)

    Fixed

    • #206 Metalsmith#ignore now only matches paths relative to Metalsmith#source (as it should). See linked issue for details 4eb1184
    • #226 Metalsmith will no longer 'swallow' errors on invalid front-matter, they will be passed to Metalsmith#build a6438d2
    • Fix test error on Windows #158 (@ moozzyk)
    • #281 Metalsmith now properly handles symbolic links (will throw an ENOENT error or they can be Metalsmith#ignore'd) 4eb1184
    • #178 Metalsmith#ignore now removes the matched files before they are statted for glob-based ignores (saving some perf & potential errors).
    • #295 Metalsmith now catches all FS errors and passes them to the build callback/ thenable appropriately.

    Security

    • Replace all occurences of new Buffer with Buffer.from

    npm audit vulnerability fixes

    • Development Dependencies:
      • coveralls: 2.11.6 ▶︎ 3.0.1 (#308) (@ Zearin)
        Fix 5 “Moderate” vulnerabilities
      • metalsmith-markdown: 0.2.1 ▶︎ 0.2.2 (#312) (@ Zearin)
        Fix 1 “Low” vulnerability
  • 2.4.0 - 2022-01-31

    Unfortunately this release missed the index.js file and is only usable by doing require('metalsmith/lib'). This has quickly been fixed in 2.4.1 and the release notes ported to it

    Added

    • #338 Added Metalsmith#match method. Plugins no longer need to require a matching library 705c4bb, f01c724
    • #358 Added TS-style JSdocs 828b17e
    • Use native fs.rm instead of rimraf when available (Node 14.4+) fcbb76e, 66e4376
    • #226 Allow passing a gray-matter options object to Metalsmith#frontmatter a6438d2
    • Modernized dev setup ef7b781
    • Added 8 new tests (match method, front-matter options, path & symbolic link handling)
    • Files object file paths are now guaranteed to be sorted aphabetically. 4eb1184
    • #211 Metalsmith#build now returns a promise which you can attach a then/catch to or await. The build callback model is still available. 6d5a42d

    Removed

    Updated

    • Dependencies: 75e6878

      • chalk: 1.1.3 ▶︎ 3.0.0
      • gray-matter: 2.0.0 ▶︎ 4.0.3
      • stat-mode: 0.2.0 ▶︎ 1.0.0
      • rimraf: 2.2.8 ▶︎ 3.0.2
      • ware: 1.2.0 ▶︎ 1.3.0
      • commander (used in CLI): 2.15.1 ▶︎ 6.2.1
      • win-fork (used in CLI): replaced with cross-spawn:7.0.3

    • Updated CHANGELOG.md format to follow “Keep A Changelog” (#266) (@ Zearin)

    Fixed

    • #206 Metalsmith#ignore now only matches paths relative to Metalsmith#source (as it should). See linked issue for details 4eb1184
    • #226 Metalsmith will no longer 'swallow' errors on invalid front-matter, they will be passed to Metalsmith#build a6438d2
    • Fix test error on Windows #158 (@ moozzyk)
    • #281 Metalsmith now properly handles symbolic links (will throw an ENOENT error or they can be Metalsmith#ignore'd) 4eb1184
    • #178 Metalsmith#ignore now removes the matched files before they are statted for glob-based ignores (saving some perf & potential errors).
    • #295 Metalsmith now catches all FS errors and passes them to the build callback/ thenable appropriately.

    Security

    • Replace all occurences of new Buffer with Buffer.from

    npm audit vulnerability fixes

    • Development Dependencies:
      • coveralls: 2.11.6 ▶︎ 3.0.1 (#308) (@ Zearin)
        Fix 5 “Moderate” vulnerabilities
      • metalsmith-markdown: 0.2.1 ▶︎ 0.2.2 (#312) (@ Zearin)
        Fix 1 “Low” vulnerability
  • 2.3.0 - 2016-10-28
from metalsmith GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

@snyk-bot
fix: upgrade metalsmith from 2.3.0 to 2.6.3
a1ca47d 
Snyk has created this PR to upgrade metalsmith from 2.3.0 to 2.6.3.

See this package in npm:
metalsmith

See this project in Snyk:
https://app.snyk.io/org/stephndevo/project/ec226dd8-98fd-486b-a1a6-1c4ba3fb2aa8?utm_source=github&utm_medium=referral&page=upgrade-pr
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@InfiniteLove2020 @snyk-bot