Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade metalsmith from 2.3.0 to 2.5.0 #146

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

YoYBaBy
Copy link
Owner

@YoYBaBy YoYBaBy commented Aug 31, 2022

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to upgrade metalsmith from 2.3.0 to 2.5.0.

merge advice
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.


  • The recommended version is 5 versions ahead of your current version.
  • The recommended version was released 3 months ago, on 2022-06-10.

The recommended version fixes:

Severity Issue PriorityScore (*) Exploit Maturity
Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908
696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes
Package name: metalsmith
  • 2.5.0 - 2022-06-10

    Important note to metalsmith-watch users:
    Although 2.5.0 is a semver-minor release, it breaks compatibility with metalsmith-watch, which relies on the Metalsmith < 2.4.x private method signature using the outdated unyield package. See issue #374 for more details.

    Added

    • #354 Added Metalsmith#env method. Supports passing DEBUG and DEBUG_LOG amongst others. Sets CLI: true when run from the metalsmith CLI. b42df8c, 446c676, 33d936b, 4c483a3
    • #356 Added Metalsmith#debug method for creating plugin debuggers
    • #362 Upgraded all generator-based methods (Metalsmith#read,Metalsmith#readFile,Metalsmith#write,Metalsmith#writeFile, Metalsmith#run and Metalsmith#process) to dual callback-/ promise-based methods 16a91c5, faf6ab6, 6cb6229
    • Added org migration notification to postinstall script to encourage users to upgrade 3a11a24

    Removed

    • #231 Dropped support for Node < 12 0a53007
    • Dependencies:
      • thunkify: replaced with promise-based implementation faf6ab6
      • unyield replaced with promise-based implementation faf6ab6
      • co-fs-extra: replaced with native Node.js methods faf6ab6
      • chalk: not necessary for the few colors used by Metalsmith CLI 1dae1cb
      • clone: see #247 a871af6

    Updated

    • Restructured and updated README.md 0da0c4d
    • #247 Calling Metalsmith#metadata no longer clones the object passed to it, overwriting the previous metadata, but merges it into existing metadata.

    Fixed

    • #355 Proper path resolution for edge-cases using CLI, running metalsmith from outside or subfolder of metalsmith.directory()5d75539
  • 2.4.3 - 2022-05-16

    Updated

    • Dependencies: 774a164
      • micromatch: 4.0.4 ▶︎ 4.0.5
    • Updated README.md

    Fixed

  • 2.4.2 - 2022-02-13

    Updated

    • Dependencies: af9dec0
      • chalk: 3.0.0 ▶︎ 4.1.2
    • Updated README.md

    Fixed

    • Fixed Metalsmith JSDoc type hints in VS code ebf82f4
  • 2.4.1 - 2022-01-31

    Fixed

    Bugfix: include index.js in package.json files

    Unfortunately release 2.4.0 missed the index.js file and was only usable by doing require('metalsmith/lib'). For this reason the release notes from 2.4.0 are re-included below:

    Added

    • #338 Added Metalsmith#match method. Plugins no longer need to require a matching library 705c4bb, f01c724
    • #358 Added TS-style JSdocs 828b17e
    • Use native fs.rm instead of rimraf when available (Node 14.4+) fcbb76e, 66e4376
    • #226 Allow passing a gray-matter options object to Metalsmith#frontmatter a6438d2
    • Modernized dev setup ef7b781
    • Added 8 new tests (match method, front-matter options, path & symbolic link handling)
    • Files object file paths are now guaranteed to be sorted aphabetically. 4eb1184
    • #211 Metalsmith#build now returns a promise which you can attach a then/catch to or await. The build callback model is still available. 6d5a42d

    Removed

    Updated

    • Dependencies: 75e6878

      • chalk: 1.1.3 ▶︎ 3.0.0
      • gray-matter: 2.0.0 ▶︎ 4.0.3
      • stat-mode: 0.2.0 ▶︎ 1.0.0
      • rimraf: 2.2.8 ▶︎ 3.0.2
      • ware: 1.2.0 ▶︎ 1.3.0
      • commander (used in CLI): 2.15.1 ▶︎ 6.2.1
      • win-fork (used in CLI): replaced with cross-spawn:7.0.3
    • Updated CHANGELOG.md format to follow “Keep A Changelog” (#266) (@ Zearin)

    Fixed

    • #206 Metalsmith#ignore now only matches paths relative to Metalsmith#source (as it should). See linked issue for details 4eb1184
    • #226 Metalsmith will no longer 'swallow' errors on invalid front-matter, they will be passed to Metalsmith#build a6438d2
    • Fix test error on Windows #158 (@ moozzyk)
    • #281 Metalsmith now properly handles symbolic links (will throw an ENOENT error or they can be Metalsmith#ignore'd) 4eb1184
    • #178 Metalsmith#ignore now removes the matched files before they are statted for glob-based ignores (saving some perf & potential errors).
    • #295 Metalsmith now catches all FS errors and passes them to the build callback/ thenable appropriately.

    Security

    • Replace all occurences of new Buffer with Buffer.from

    npm audit vulnerability fixes

    • Development Dependencies:
      • coveralls: 2.11.6 ▶︎ 3.0.1 (#308) (@ Zearin)
        Fix 5 “Moderate” vulnerabilities
      • metalsmith-markdown: 0.2.1 ▶︎ 0.2.2 (#312) (@ Zearin)
        Fix 1 “Low” vulnerability
  • 2.4.0 - 2022-01-31

    Unfortunately this release missed the index.js file and is only usable by doing require('metalsmith/lib'). This has quickly been fixed in 2.4.1 and the release notes ported to it

    Added

    • #338 Added Metalsmith#match method. Plugins no longer need to require a matching library 705c4bb, f01c724
    • #358 Added TS-style JSdocs 828b17e
    • Use native fs.rm instead of rimraf when available (Node 14.4+) fcbb76e, 66e4376
    • #226 Allow passing a gray-matter options object to Metalsmith#frontmatter a6438d2
    • Modernized dev setup ef7b781
    • Added 8 new tests (match method, front-matter options, path & symbolic link handling)
    • Files object file paths are now guaranteed to be sorted aphabetically. 4eb1184
    • #211 Metalsmith#build now returns a promise which you can attach a then/catch to or await. The build callback model is still available. 6d5a42d

    Removed

    Updated

    • Dependencies: 75e6878

      • chalk: 1.1.3 ▶︎ 3.0.0
      • gray-matter: 2.0.0 ▶︎ 4.0.3
      • stat-mode: 0.2.0 ▶︎ 1.0.0
      • rimraf: 2.2.8 ▶︎ 3.0.2
      • ware: 1.2.0 ▶︎ 1.3.0
      • commander (used in CLI): 2.15.1 ▶︎ 6.2.1
      • win-fork (used in CLI): replaced with cross-spawn:7.0.3
    • Updated CHANGELOG.md format to follow “Keep A Changelog” (#266) (@ Zearin)

    Fixed

    • #206 Metalsmith#ignore now only matches paths relative to Metalsmith#source (as it should). See linked issue for details 4eb1184
    • #226 Metalsmith will no longer 'swallow' errors on invalid front-matter, they will be passed to Metalsmith#build a6438d2
    • Fix test error on Windows #158 (@ moozzyk)
    • #281 Metalsmith now properly handles symbolic links (will throw an ENOENT error or they can be Metalsmith#ignore'd) 4eb1184
    • #178 Metalsmith#ignore now removes the matched files before they are statted for glob-based ignores (saving some perf & potential errors).
    • #295 Metalsmith now catches all FS errors and passes them to the build callback/ thenable appropriately.

    Security

    • Replace all occurences of new Buffer with Buffer.from

    npm audit vulnerability fixes

    • Development Dependencies:
      • coveralls: 2.11.6 ▶︎ 3.0.1 (#308) (@ Zearin)
        Fix 5 “Moderate” vulnerabilities
      • metalsmith-markdown: 0.2.1 ▶︎ 0.2.2 (#312) (@ Zearin)
        Fix 1 “Low” vulnerability
  • 2.3.0 - 2016-10-28
    Read more
from metalsmith GitHub release notes
Commit messages
Package name: metalsmith

Compare


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Travis PR integration broken
2 participants