Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade metalsmith from 2.3.0 to 2.6.3 #1

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

Douhgn
Copy link
Owner

@Douhgn Douhgn commented Jul 12, 2024

This PR was automatically created by Snyk using the credentials of a real user.


![snyk-top-banner](https://github.com/andygongea/OWASP-Benchmark/assets/818805/c518c423-16fe-447e-b67f-ad5a49b5d123)

Snyk has created this PR to upgrade metalsmith from 2.3.0 to 2.6.3.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.


  • The recommended version is 10 versions ahead of your current version.

  • The recommended version was released on 4 months ago.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ASYNC-7414156
416 No Known Exploit
Release notes
Package name: metalsmith
  • 2.6.3 - 2024-03-05

    Removed

    • Drops support for Node < 14.18.0 (4 minor, deprecated versions) to be able to use 'node:' protocol imports" b170cf0

    Updated

    • Updated README.md code samples, links, and troubleshooting section
    • Dependencies: 774a164
      • chokidar: 3.5.3 ▶︎ 3.6.0

    Fixed

    • Fixes ms.watch(false) unreliable behavior when the build errors. 0d8d791
  • 2.6.2 - 2023-11-15
    • TS fixes: add generic to Metalsmith.File, bring back Metalsmith.DoneCallback, add Metalsmith.Plugin promise signature 3ae6275
    • #394 Avoid leaking unhandled rejections in build/watch promises. cac48fc, 5b48dce
    • Fix a typo in CLI help message 642a176
  • 2.6.1 - 2023-07-11
    • 34239d9 Documents metalsmith.watch() getter signature in TS
    • a719025 Normalizes ms.watch().paths to an array, allows access to a subset of chokidar options as advertised
    • 5a516b2 Sets chokidar watchOption awaitWriteFinish to false, and batch timer to 0 to speed up watching
    • 23b0944 Fixes #389: ensure not missing watcher ready event to successfully launch build
    • 05265ce Fixes formatting issue in types JSdoc comments
  • 2.6.0 - 2023-05-29

    Added

    • [#356] Added Typescript support 58d22a3
    • Added --debug and --dry-run options to metalsmith (build) command 2d84fbe
    • Added --env option to metalsmith (build) command 9661ddc
    • Added Metalsmith CLI support for loading a .(c)js config. Reads from metalsmith.js as second default after metalsmith.json 45a4afe
    • Added support for running (C/M)JS config files from CLI 424e6ec
    • Dependencies:

    Removed

    • #231 Dropped support for Node < 14.14.0 80d8508
    • Dependencies:
      • rimraf: replaced with native Node.js methods ae05945
      • cross-spawn: baee1de

    Updated

    • Modernized Metalsmith CLI, prepared transition to imports instead of require 24fcffb 4929bc2
    • Dependencies:

    Fixed

    • Fixes a duplicate empty input check in metalsmith.match 60e173a
    • Gray-matter excerpts are removed from contents instead of being duplicated to the excerpt property 2bfe800
    • Gray-matter excerpts are trimmed acb363e

    Full Changelog: v2.5.1...v2.6.0

  • 2.5.1 - 2022-10-07
    • Dependencies: 774a164
      • debug: 4.3.3 ▶︎ 4.3.4
    • Clarified semver policy in README.md
    • Added SECURITY.md

    Fixed

    • Fixes #373: do not crash when postinstall script fails in specific environments
  • 2.5.0 - 2022-06-10

    Important note to metalsmith-watch users:
    Although 2.5.0 is a semver-minor release, it breaks compatibility with metalsmith-watch, which relies on the Metalsmith < 2.4.x private method signature using the outdated unyield package. See issue #374 for more details.

    Added

    • #354 Added Metalsmith#env method. Supports passing DEBUG and DEBUG_LOG amongst others. Sets CLI: true when run from the metalsmith CLI. b42df8c, 446c676, 33d936b, 4c483a3
    • #356 Added Metalsmith#debug method for creating plugin debuggers
    • #362 Upgraded all generator-based methods (Metalsmith#read,Metalsmith#readFile,Metalsmith#write,Metalsmith#writeFile, Metalsmith#run and Metalsmith#process) to dual callback-/ promise-based methods 16a91c5, faf6ab6, 6cb6229
    • Added org migration notification to postinstall script to encourage users to upgrade 3a11a24

    Removed

    • #231 Dropped support for Node < 12 0a53007
    • Dependencies:
      • thunkify: replaced with promise-based implementation faf6ab6
      • unyield replaced with promise-based implementation faf6ab6
      • co-fs-extra: replaced with native Node.js methods faf6ab6
      • chalk: not necessary for the few colors used by Metalsmith CLI 1dae1cb
      • clone: see #247 a871af6

    Updated

    • Restructured and updated README.md 0da0c4d
    • #247 Calling Metalsmith#metadata no longer clones the object passed to it, overwriting the previous metadata, but merges it into existing metadata.

    Fixed

    • #355 Proper path resolution for edge-cases using CLI, running metalsmith from outside or subfolder of metalsmith.directory()5d75539
  • 2.4.3 - 2022-05-16

    Updated

    • Dependencies: 774a164
      • micromatch: 4.0.4 ▶︎ 4.0.5
    • Updated README.md

    Fixed

  • 2.4.2 - 2022-02-13

    Updated

    • Dependencies: af9dec0
      • chalk: 3.0.0 ▶︎ 4.1.2
    • Updated README.md

    Fixed

    • Fixed Metalsmith JSDoc type hints in VS code ebf82f4
  • 2.4.1 - 2022-01-31

    Fixed

    Bugfix: include index.js in package.json files

    Unfortunately release 2.4.0 missed the index.js file and was only usable by doing require('metalsmith/lib'). For this reason the release notes from 2.4.0 are re-included below:

    Added

    • #338 Added Metalsmith#match method. Plugins no longer need to require a matching library 705c4bb, f01c724
    • #358 Added TS-style JSdocs 828b17e
    • Use native fs.rm instead of rimraf when available (Node 14.4+) fcbb76e, 66e4376
    • #226 Allow passing a gray-matter options object to Metalsmith#frontmatter a6438d2
    • Modernized dev setup ef7b781
    • Added 8 new tests (match method, front-matter options, path & symbolic link handling)
    • Files object file paths are now guaranteed to be sorted aphabetically. 4eb1184
    • #211 Metalsmith#build now returns a promise which you can attach a then/catch to or await. The build callback model is still available. 6d5a42d

    Removed

    Updated

    • Dependencies: 75e6878

      • chalk: 1.1.3 ▶︎ 3.0.0
      • gray-matter: 2.0.0 ▶︎ 4.0.3
      • stat-mode: 0.2.0 ▶︎ 1.0.0
      • rimraf: 2.2.8 ▶︎ 3.0.2
      • ware: 1.2.0 ▶︎ 1.3.0
      • commander (used in CLI): 2.15.1 ▶︎ 6.2.1
      • win-fork (used in CLI): replaced with cross-spawn:7.0.3
    • Updated CHANGELOG.md format to follow “Keep A Changelog” (#266) (@ Zearin)

    Fixed

    • #206 Metalsmith#ignore now only matches paths relative to Metalsmith#source (as it should). See linked issue for details 4eb1184
    • #226 Metalsmith will no longer 'swallow' errors on invalid front-matter, they will be passed to Metalsmith#build a6438d2
    • Fix test error on Windows #158 (@ moozzyk)
    • #281 Metalsmith now properly handles symbolic links (will throw an ENOENT error or they can be Metalsmith#ignore'd) 4eb1184
    • #178 Metalsmith#ignore now removes the matched files before they are statted for glob-based ignores (saving some perf & potential errors).
    • #295 Metalsmith now catches all FS errors and passes them to the build callback/ thenable appropriately.

    Security

    • Replace all occurences of new Buffer with Buffer.from

    npm audit vulnerability fixes

    • Development Dependencies:
      • coveralls: 2.11.6 ▶︎ 3.0.1 (#308) (@ Zearin)
        Fix 5 “Moderate” vulnerabilities
      • metalsmith-markdown: 0.2.1 ▶︎ 0.2.2 (#312) (@ Zearin)
        Fix 1 “Low” vulnerability
  • 2.4.0 - 2022-01-31

    Unfortunately this release missed the index.js file and is only usable by doing require('metalsmith/lib'). This has quickly been fixed in 2.4.1 and the release notes ported to it

    Added

    • #338 Added Metalsmith#match method. Plugins no longer need to require a matching library 705c4bb, f01c724
    • #358 Added TS-style JSdocs 828b17e
    • Use native fs.rm instead of rimraf when available (Node 14.4+) fcbb76e, 66e4376
    • #226 Allow passing a gray-matter options object to Metalsmith#frontmatter a6438d2
    • Modernized dev setup ef7b781
    • Added 8 new tests (match method, front-matter options, path & symbolic link handling)
    • Files object file paths are now guaranteed to be sorted aphabetically. 4eb1184
    • #211 Metalsmith#build now returns a promise which you can attach a then/catch to or await. The build callback model is still available. 6d5a42d

    Removed

    Updated

    • Dependencies: 75e6878

      • chalk: 1.1.3 ▶︎ 3.0.0
      • gray-matter: 2.0.0 ▶︎ 4.0.3
      • stat-mode: 0.2.0 ▶︎ 1.0.0
      • rimraf: 2.2.8 ▶︎ 3.0.2
      • ware: 1.2.0 ▶︎ 1.3.0
      • commander (used in CLI): 2.15.1 ▶︎ 6.2.1
      • win-fork (used in CLI): replaced with cross-spawn:7.0.3
    • Updated CHANGELOG.md format to follow “Keep A Changelog” (#266) (@ Zearin)

    Fixed

    • #206 Metalsmith#ignore now only matches paths relative to Metalsmith#source (as it should). See linked issue for details 4eb1184
    • #226 Metalsmith will no longer 'swallow' errors on invalid front-matter, they will be passed to Metalsmith#build a6438d2
    • Fix test error on Windows #158 (@ moozzyk)
    • #281 Metalsmith now properly handles symbolic links (will throw an ENOENT error or they can be Metalsmith#ignore'd) 4eb1184
    • #178 Metalsmith#ignore now removes the matched files before they are statted for glob-based ignores (saving some perf & potential errors).
    • #295 Metalsmith now catches all FS errors and passes them to the build callback/ thenable appropriately.

    Security

    • Replace all occurences of new Buffer with Buffer.from

    npm audit vulnerability fixes

    • Development Dependencies:
      • coveralls: 2.11.6 ▶︎ 3.0.1 (#308) (@ Zearin)
        Fix 5 “Moderate” vulnerabilities
      • metalsmith-markdown: 0.2.1 ▶︎ 0.2.2 (#312) (@ Zearin)
        Fix 1 “Low” vulnerability
  • 2.3.0 - 2016-10-28
from metalsmith GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

Snyk has created this PR to upgrade metalsmith from 2.3.0 to 2.6.3.

See this package in npm:
metalsmith

See this project in Snyk:
https://app.snyk.io/org/douhgn/project/a878cf4b-19c0-439b-b021-a6de79453496?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants