Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[Snyk] Upgrade metalsmith from 2.3.0 to 2.6.0 #5

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Upgrade metalsmith from 2.3.0 to 2.6.0 #5

wants to merge 1 commit into from

Conversation

lidorg-dev
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to upgrade metalsmith from 2.3.0 to 2.6.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 7 versions ahead of your current version.
  • The recommended version was released a month ago, on 2023-05-29.

The recommended version fixes:

Severity Issue PriorityScore (*) Exploit Maturity
Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908		 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes
Package name: metalsmith
  • 2.6.0 - 2023-05-29

    Added

    • [#356] Added Typescript support 58d22a3
    • Added --debug and --dry-run options to metalsmith (build) command 2d84fbe
    • Added --env option to metalsmith (build) command 9661ddc
    • Added Metalsmith CLI support for loading a .(c)js config. Reads from metalsmith.js as second default after metalsmith.json 45a4afe
    • Added support for running (C/M)JS config files from CLI 424e6ec
    • Dependencies:

    Removed

    • #231 Dropped support for Node < 14.14.0 80d8508
    • Dependencies:
      • rimraf: replaced with native Node.js methods ae05945
      • cross-spawn: baee1de

    Updated

    • Modernized Metalsmith CLI, prepared transition to imports instead of require 24fcffb 4929bc2
    • Dependencies:

    Fixed

    • Fixes a duplicate empty input check in metalsmith.match 60e173a
    • Gray-matter excerpts are removed from contents instead of being duplicated to the excerpt property 2bfe800
    • Gray-matter excerpts are trimmed acb363e

    Full Changelog: v2.5.1...v2.6.0

  • 2.5.1 - 2022-10-07
    • Dependencies: 774a164
      • debug: 4.3.3 ▶︎ 4.3.4
    • Clarified semver policy in README.md
    • Added SECURITY.md

    Fixed

    • Fixes #373: do not crash when postinstall script fails in specific environments
  • 2.5.0 - 2022-06-10

    Important note to metalsmith-watch users:
    Although 2.5.0 is a semver-minor release, it breaks compatibility with metalsmith-watch, which relies on the Metalsmith < 2.4.x private method signature using the outdated unyield package. See issue #374 for more details.

    Added

    • #354 Added Metalsmith#env method. Supports passing DEBUG and DEBUG_LOG amongst others. Sets CLI: true when run from the metalsmith CLI. b42df8c, 446c676, 33d936b, 4c483a3
    • #356 Added Metalsmith#debug method for creating plugin debuggers
    • #362 Upgraded all generator-based methods (Metalsmith#read,Metalsmith#readFile,Metalsmith#write,Metalsmith#writeFile, Metalsmith#run and Metalsmith#process) to dual callback-/ promise-based methods 16a91c5, faf6ab6, 6cb6229
    • Added org migration notification to postinstall script to encourage users to upgrade 3a11a24

    Removed

    • #231 Dropped support for Node < 12 0a53007
    • Dependencies:
      • thunkify: replaced with promise-based implementation faf6ab6
      • unyield replaced with promise-based implementation faf6ab6
      • co-fs-extra: replaced with native Node.js methods faf6ab6
      • chalk: not necessary for the few colors used by Metalsmith CLI 1dae1cb
      • clone: see #247 a871af6

    Updated

    • Restructured and updated README.md 0da0c4d
    • #247 Calling Metalsmith#metadata no longer clones the object passed to it, overwriting the previous metadata, but merges it into existing metadata.

    Fixed

    • #355 Proper path resolution for edge-cases using CLI, running metalsmith from outside or subfolder of metalsmith.directory()5d75539
  • 2.4.3 - 2022-05-16

    Updated

    • Dependencies: 774a164
      • micromatch: 4.0.4 ▶︎ 4.0.5
    • Updated README.md

    Fixed

  • 2.4.2 - 2022-02-13

    Updated

    • Dependencies: af9dec0
      • chalk: 3.0.0 ▶︎ 4.1.2
    • Updated README.md

    Fixed

    • Fixed Metalsmith JSDoc type hints in VS code ebf82f4
  • 2.4.1 - 2022-01-31

    Fixed

    Bugfix: include index.js in package.json files

    Unfortunately release 2.4.0 missed the index.js file and was only usable by doing require('metalsmith/lib'). For this reason the release notes from 2.4.0 are re-included below:

    Added

    • #338 Added Metalsmith#match method. Plugins no longer need to require a matching library 705c4bb, f01c724
    • #358 Added TS-style JSdocs 828b17e
    • Use native fs.rm instead of rimraf when available (Node 14.4+) fcbb76e, 66e4376
    • #226 Allow passing a gray-matter options object to Metalsmith#frontmatter a6438d2
    • Modernized dev setup ef7b781
    • Added 8 new tests (match method, front-matter options, path & symbolic link handling)
    • Files object file paths are now guaranteed to be sorted aphabetically. 4eb1184
    • #211 Metalsmith#build now returns a promise which you can attach a then/catch to or await. The build callback model is still available. 6d5a42d

    Removed

    Updated

    • Dependencies: 75e6878

      • chalk: 1.1.3 ▶︎ 3.0.0
      • gray-matter: 2.0.0 ▶︎ 4.0.3
      • stat-mode: 0.2.0 ▶︎ 1.0.0
      • rimraf: 2.2.8 ▶︎ 3.0.2
      • ware: 1.2.0 ▶︎ 1.3.0
      • commander (used in CLI): 2.15.1 ▶︎ 6.2.1
      • win-fork (used in CLI): replaced with cross-spawn:7.0.3

    • Updated CHANGELOG.md format to follow “Keep A Changelog” (#266) (@ Zearin)

    Fixed

    • #206 Metalsmith#ignore now only matches paths relative to Metalsmith#source (as it should). See linked issue for details 4eb1184
    • #226 Metalsmith will no longer 'swallow' errors on invalid front-matter, they will be passed to Metalsmith#build a6438d2
    • Fix test error on Windows #158 (@ moozzyk)
    • #281 Metalsmith now properly handles symbolic links (will throw an ENOENT error or they can be Metalsmith#ignore'd) 4eb1184
    • #178 Metalsmith#ignore now removes the matched files before they are statted for glob-based ignores (saving some perf & potential errors).
    • #295 Metalsmith now catches all FS errors and passes them to the build callback/ thenable appropriately.

    Security

    • Replace all occurences of new Buffer with Buffer.from

    npm audit vulnerability fixes

    • Development Dependencies:
      • coveralls: 2.11.6 ▶︎ 3.0.1 (#308) (@ Zearin)
        Fix 5 “Moderate” vulnerabilities
      • metalsmith-markdown: 0.2.1 ▶︎ 0.2.2 (#312) (@ Zearin)
        Fix 1 “Low” vulnerability
  • 2.4.0 - 2022-01-31
    Read more
  • 2.3.0 - 2016-10-28

    Added

    • Add packaging metadata to build the metalsmith snap (#249)

    Updated

    • Update dependencies (#246)

    Removed

    • Remove unused dependencies

    Fixed

    • Fix error when reading a symbolic link to a dir (#229)

    Security

    • Upgrade dependency to include security fix (#258)
from metalsmith GitHub release notes
Commit messages
Package name: metalsmith
  • ba18d85 Release 2.6.0
  • d5ce2c8 Prepare changelog for 2.6.0
  • baee1de Removes stray cross-spawn dependency & use --no-package-lock for CI
  • 17e421b test: migrate from nyc to c8 for coverage reports
  • 2ef473b types: fix source code link line numbers
  • e12537f feat/add v0.12.8 announcement post nodejs/nodejs.org#379 - use lodash.clonedeepwith instead, document watch type, fix issues in CLI
  • 9d40674 Resolves add v0.12.8 announcement post nodejs/nodejs.org#379: add metalsmith.watch option setter and watcher
  • 48a0167 fix: package.json node version, type docs, readme formatting
  • 3a93270 test: fix FS race condition in #build should return a promise only when callback omitted
  • dbfe32a docs: Updates readme examples to ESM & Gitter link to Matrix Element
  • 4469020 CLI: Fix ESM dynamic import issue with absolute paths on Windows
  • 58217a5 Adds CLI support & tests for loading ESM configs or Metalsmith instances
  • c272b8b ci: remove Node 12, add Node 20
  • 0810728 Updates commander from 8.3.0 -> 10.0.1
  • ae05945 Removes rimraf dependency, refactors helpers using fs/promises and upgrades @ types/node
  • 80d8508 Drops support for Node < 14
  • 3754a6a chore: Remove stray console.error log in bin
  • acb363e Trims whitespace from parsed front-matter excerpt and adds test for dynamic front-matter lang
  • 2bfe800 Fix: don't keep gray-matter excerpt at the start of file contents
  • 7ec31d0 Adds a matter member object to metalsmith instance with stringify & parse methods
  • 424e6ec Support 'module.exports = Metalsmith()'-style configs in CLI
  • 82969ef dev: update devDependencies & fix security warnings
  • 58db90c ci: remove obsolete Gitter notification flow
  • 58d22a3 Resolves Be consistent with quotes in examples. nodejs/nodejs.org#356: adds Typescript support to Metalsmith package

Compare

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

jit-ci[bot]
jit-ci bot reviewed Jul 13, 2023
View reviewed changes
Copy link

@jit-ci jit-ci bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❌ Jit has detected 1 important finding in this PR that you should review.
The finding is detailed below as a comment.
It’s highly recommended that you fix this security issue before merge.

package.json
@@ -45,7 +45,7 @@
"junk": "^3.1.0",
"lodash.defaultsdeep": "^4.6.1",
"marked": "^0.8.0",
"metalsmith": "^2.3.0",
"metalsmith": "^2.6.0",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Software Component Analysis Js

Type: Glob-Parent Before 5.1.2 Vulnerable To Regular Expression Denial Of Service In Enclosure Regex

Description: metalsmith>chokidar>glob-parent

Is fix available? Yes

Severity: HIGH

Learn more about this issue

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_undo_ignore Undo ignore command

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@jit-ci jit-ci[bot] jit-ci[bot] left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lidorg-dev @snyk-bot