[Snyk] Fix for 10 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HIGHLIGHTJS-1048676	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Directory Traversal SNYK-JS-MOMENT-2440688	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-NUNJUCKS-1079083	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Cross-site Scripting (XSS) SNYK-JS-STRIPTAGS-1312310	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	Yes	Proof of Concept
	509/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) npm:moment:20161019	No	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:moment:20170905	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: chalk

The new version differs by 53 commits.

• 3fca615 2.0.0
• f66271e Add tagged template literal (Typo fix hexojs/hexo#163)
• 23ef1c7 fix linter errors
• c015568 add rainbow example
• 09fb2d8 Re-implement `chalk.enabled` (rsync部署的小错误 hexojs/hexo#160)
• 608242a spoof supports-color
• 18f2e7c add host information output
• 523b998 Revert "TEMPORARY: emergency travis CI fix (see comments)"
• 54975fb TEMPORARY: emergency travis CI fix (see comments)
• 1d73b21 Improve readme
• 6f4d6b3 Bump dependencies
• 8702496 Remove `chalk.styles`
• 0412cdf Minor code improvements
• 249b9ac ES2015ify the codebase
• cb3f230 Add RGB (256/Truecolor) support (v1.1.1 hexo generate 错误 tagMap categoryMap 未定义 hexojs/hexo#140)
• dbae68d Update dependent package count in the readme (v1.1.2 windows7 deploy to GitHub pages hexojs/hexo#154)
• 9b60021 Drop support for Node.js 0.10 and 0.12
• 0d21449 check parent builder object for enabled status (-v1.1.1 hexo generate [--watch] 建议改善一下 hexojs/hexo#142)
• 5a69476 add XO badge
• 492f11f add example file
• 4ce73b6 make XO happy
• 7c02cf4 Add log statement to chalk examples (added cite plugin hexojs/hexo#129)
• 835ca3d You've just reached 10,000 dependent modules. (Render console hexojs/hexo#122)
• 74c087d minor doc improvements (Web UI hexojs/hexo#120)

See the full diff

Package name: hexo-cli

The new version differs by 208 commits.

• 737b96e Merge pull request Category 错误 hexojs/hexo#195 from curbengh/4.0.0
• d454da5 release: 4.0.0
• b8ecb86 chore: requires Node 10.13+
• 9dbfead chore(deps-dev): bump eslint from 7.4.0 to 7.5.0 (能否将hexo部署到百度BAE？ hexojs/hexo#221)
• 64a8ba6 merge(转制产生的网页中空格过长 hexojs/hexo#223): from curbengh/gh-action
• 32da61c docs: add git submodule instruction
• 2db127e ci: add GitHub Actions
• 639662e chore(deps): bump hexo-util from 2.0.0 to 2.1.0 (hexo new page hexojs/hexo#196)
• 49a7252 chore(deps): bump hexo-fs from 3.0.1 to 3.1.0 (fix include_code plugin hexojs/hexo#201)
• 9ae7f2c chore(deps-dev): bump eslint from 7.2.0 to 7.4.0 (文章详细页去除<a name="more"></a>（<!--more-->）空标签 hexojs/hexo#219)
• ceaf1fc chore(deps): bump acorn from 7.2.0 to 7.3.1 (use better escaping in console/new hexojs/hexo#210)
• c567236 chore(deps): [security] bump lodash from 4.17.14 to 4.17.19 (如何在一个域名下建立多个博客和其它网站 hexojs/hexo#220)
• 4c7babf chore(deps): bump hexo-log from 1.0.0 to 2.0.0 (Static, no-layout html files? hexojs/hexo#217)
• 02e8273 chore(deps-dev): bump hexo-renderer-marked from 2.0.0 to 3.0.0 (Added link tag hexojs/hexo#216)
• 2b07acb fix(permission): caused by 能不能加入可视化的MD编辑器？ hexojs/hexo#200 (修复紧跟backtick codeblock后的markdown标记失效的问题 hexojs/hexo#213)
• 7407649 chore(deps): bump chalk from 4.0.0 to 4.1.0 (用四个空格或者一个TAB引导的代码段排版不对 hexojs/hexo#208)
• 6506e26 chore(deps-dev): bump nyc from 15.0.1 to 15.1.0 (关于‘hexo new’ hexojs/hexo#205)
• ce3ed5f chore(deps-dev): bump eslint from 7.0.0 to 7.2.0 (Fix multi categories slug errors hexojs/hexo#207)
• b43f94a chore(deps): remove acorn (如何禁止非博客文件夹被编译 hexojs/hexo#211)
• af92881 fix(init): init error with a number target project name (能不能加入可视化的MD编辑器？ hexojs/hexo#200)
• a6d44ce chore(deps-dev): bump mocha from 7.2.0 to 8.0.1 (hexo server 出错。 hexojs/hexo#209)
• f518198 feat: detailed information for `hexo not found` (command not found: hexo hexojs/hexo#206)
• 1acb025 chore(deps-dev): bump mocha from 7.1.2 to 7.2.0 (fix generate --watch for win32 platform hexojs/hexo#203)
• 71debfb chore(deps): bump acorn from 7.1.1 to 7.2.0 (如何在页面中显示上一篇/下一篇文章的链接? hexojs/hexo#198)

See the full diff

Package name: hexo-fs

The new version differs by 68 commits.

• 780a5a9 Merge pull request 生成Tag错误问题 hexojs/hexo#46 from curbengh/2.0.0
• b108888 release: 2.0.0
• 3cde091 Refactor(test): tuple to map (0.4.5又出现了偶尔generate报错的问题 hexojs/hexo#45)
• 2d2efcd Merge pull request 生成url的空格问题 hexojs/hexo#44 from segayuu/Refactor-test-1
• 7d600ad Destructuring path module
• ba54c11 Refactor test
• bca03f3 Merge pull request windows 7下generate出错 hexojs/hexo#43 from segayuu/Refactor-useful-chai-as-promised
• 21da957 Fix test: Usefull chai-as-promised
• afc4e3e Install chai-as-promised
• 0154d8a Merge pull request 無法安裝 hexo-renderer-discount 插件 hexojs/hexo#41 from curbengh/badge
• 8fec0e0 Merge pull request 在Archives中点击文章标题，出现链接失效。。。 hexojs/hexo#42 from hexojs/dependabot/npm_and_yarn/escape-string-regexp-tw-2.0.0
• 9071966 Update escape-string-regexp requirement from ^1.0.5 to ^2.0.0
• 060fcba docs(readme): fix appveyor badge
• 726da41 docs(readme): add npm link and fix appveyor link
• 719038e Merge pull request scripts功能 hexojs/hexo#37 from hexojs/dependabot/npm_and_yarn/eslint-tw-6.0.1
• d2100fb Merge pull request tag bug hexojs/hexo#38 from curbengh/nyc
• 8c83d6e fix: hasOwnProperty syntax
• 35df948 chore: deprecate npmignore (在批量生成报错的时候不知道具体出问题的文件名 hexojs/hexo#40)
• 6e32aed chore: add node 12 to appveyor (rsync deploy的时候会有短暂的页面不存在错误 hexojs/hexo#39)
• 1716d2a test: replace istanbul with nyc
• 29643ad eslint fiixes
• 491ae31 Update eslint requirement from ^5.16.0 to ^6.0.1
• 571e1b9 fix chokidar update by removing support for nodejs 6 (bash: 未预期的符号 `newline' 附近有语法错误 hexojs/hexo#34)
• 20cb85a Revert "Update escape-string-regexp requirement from ^1.0.5 to ^2.0.0" ([Snyk] Security upgrade cheerio from 0.20.0 to 0.22.0 one3chens/hexo#33)

See the full diff

Package name: hexo-log

The new version differs by 56 commits.

• 117b51c chore(release): v3.0.0 (favicon.ico 怎么放？ hexojs/hexo#57)
• d4add03 refactor: use nanocolors instead of chalk (hexo运行出错 hexojs/hexo#56)
• 4159c65 chore(deps-dev): bump sinon from 10.0.1 to 11.1.2 (Source posts organization hexojs/hexo#52)
• 1c6ac34 chore(deps-dev): bump mocha from 8.4.0 to 9.1.0 (init 问题 hexojs/hexo#54)
• f77fb7d chore: fix npm script for send coverage report (generate error hexojs/hexo#55)
• 67db367 chore: drop Node.js 10.x & migrate from travis to GitHub Actions (Fix a potential bug hexojs/hexo#53)
• 8a1d6c2 Upgrade to GitHub-native Dependabot (windows 7下generate出错 hexojs/hexo#43)
• 2a1b408 chore(deps-dev): bump sinon from 9.2.4 to 10.0.1 (在Archives中点击文章标题，出现链接失效。。。 hexojs/hexo#42)
• f14a648 Merge pull request 在批量生成报错的时候不知道具体出问题的文件名 hexojs/hexo#40 from SukkaW/2.0.0
• 3b21308 release 2.0.0
• ed3477f chore(deps-dev): bump mocha from 7.2.0 to 8.0.1 (tag bug hexojs/hexo#38)
• f746a42 chore(deps-dev): bump sinon from 8.1.1 to 9.0.2 ([Snyk] Security upgrade cheerio from 0.20.0 to 0.22.0 one3chens/hexo#33)
• b7bc66b chore(deps-dev): bump eslint from 6.8.0 to 7.1.0 (scripts功能 hexojs/hexo#37)
• e46c0d7 chore(deps): bump chalk from 3.0.0 to 4.0.0 ([Snyk] Security upgrade cheerio from 0.20.0 to 0.22.0 one3chens/hexo#32)
• 17205df Merge pull request bash: 未预期的符号 `newline' 附近有语法错误 hexojs/hexo#34 from SukkaW/fancy-log
• f6ae56f chore: add release-drafter (无法生成主题 hexojs/hexo#35)
• 44b0d4a docs(README): typos fixed
• 01330c9 docs(README): update
• e1fd893 fix: silient mode should not output anything
• eae8f19 test: update example
• 72ab406 refactor: merge the log util
• a32a67e test: add stderr & stdout related test cases
• b4ce5e1 test: bring up examples
• 316aff3 fix: add missing space after TRACE

See the full diff

Package name: hexo-util

The new version differs by 250 commits.

• f90fd44 Merge pull request 怎样用 Image_tag 实现图文的混编 hexojs/hexo#197 from curbengh/2.0.0
• c5caf2c release: 2.0.0
• b990b8f refactor: drop Node.js 8 (安装discount时出错？ hexojs/hexo#191)
• 20a3c1b Merge pull request hexo new page hexojs/hexo#196 from curbengh/sublang-highlight
• 022266f docs(highlight): warn 'autoDetect' usage
• 1f3e562 docs(highlight): 'sublanguage highlight' requirement
• efe1fec fix: avoid overriding Transform.destroy() method (Category 错误 hexojs/hexo#195)
• 1b3aa01 chore(deps): bump highlight.js from 9.18.1 to 10.0.0 (Console alias hexojs/hexo#192)
• 31f74a5 ci(travis): drop Node 8 and add Node 14 (Fix the bug of css() hexojs/hexo#193)
• 5b14fd2 chore(deps-dev): bump rewire from 4.0.1 to 5.0.0 (使用“C++”作为category 或者tag出现问题 hexojs/hexo#187)
• 48788a7 docs: add isExternalLink JSDoc (```包围的代码里的<>会显示为&lt;&gt; hexojs/hexo#190)
• 595aaab Merge pull request Issue with deploy hexojs/hexo#182 from YoshinoriN/1.9.0
• 2496d1f Merge pull request 如何添加javascript? hexojs/hexo#183 from SukkaW/fix-is-external-filter
• 771f8ba fix(prism): add strip_indent support (Updated github.com to github.io hexojs/hexo#184)
• e81733c Merge pull request Watch Changes , Live Regenerate ? hexojs/hexo#185 from YoshinoriN/add-release-drafter
• 24c4f37 chore: add release release-drafter
• 544a6f6 Merge pull request 写文章时，代码块有特殊字符，渲染时会转义 hexojs/hexo#175 from curbengh/tocobj-child
• 38a0e5f fix(tocobj): parse permalink if no text
• 6f796aa fix(tocObj): return empty string
• 6b18598 fix(tocObj): skip permalink symbol
• 2a9a5ba perf(is_ecternal_link): absolute url detection
• 7e5633a fix(highlight): make highlight more robust (如何在模板中取到下(上)一篇文章的标题和链接 hexojs/hexo#171)
• 8615f15 refactor(toc_obj): simplify the code (tags和categories在被删除之后仍然存在。 hexojs/hexo#181)
• 12bdb3a fix(is_external_link): handle invalid url

See the full diff

Package name: nunjucks

The new version differs by 250 commits.

• fd50090 Release v3.2.3
• d34fdbf Temporarily comment out codecov action
• cefad41 Replace README.md travis badge with github actions
• 7601ff4 Fixup github actions workflow file
• de9dc67 Add GitHub Workflow for tests. fixes 无论skip_render如何设置都无法跳过source目录下的某个js文件目录，生成出错 hexojs/hexo#1333
• aa9e5b9 Fix prototype pollution security issue. fixes css / js helpers and handling relative paths hexojs/hexo#1331
• f51afa3 Move chokidar to peerDependencies and make it optional via peerDependenciesMeta (/source里的README.md文件在deploy后变成了README.html文件 hexojs/hexo#1329)
• f91f1c3 Fix `groupby` example formatting
• 7ef121c Add base and default args to int filter
• 0c02062 Use attribute getter for `sort` filter
• c7337e7 Release v3.2.2
• bea3a43 CHANGELOG: Fix issue link
• 8186d4f Don't append extra newline when using |indent filter
• 73a4eb3 Document `with context` behavior for `import` directive (fr)
• eea081c Document `with context` behavior for `import` directive
• bbcbaf3 Fix issue where sync render would not raise errors in included templates
• 63c4baf Remove development files from NPM package. Fixes mac 上 在chrome/firefox/safari 打开 localhost:4000/特别的慢，大家遇到过？ hexojs/hexo#984
• 85918ef Document `if` statement with multiple conditions (fr). refs 如果页面上有table的话，会在前面添加很多br hexojs/hexo#1284
• 7ddd747 Document `if` statement with multiple conditions
• 1e29863 Add support for nested attributes in `groupBy` filter. Fixes 如何调整Hexo语言为英文? hexojs/hexo#1198
• 7087fa9 Fix precompile bin TypeError: name.replace is not a function
• 1736334 Modify CHANGELOG message for select/reject filters
• 62565a1 Add `reject` filter
• 647fc11 Change version query

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:uglify-js:20151024	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Cross-site Scripting (XSS)
🦉 More lessons are available in Snyk Learn