Update dependency hexo to v7.2.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
hexo (source)	7.1.1 → 7.2.0

---

Hexo include_code has a path traversal

CVE-2023-39584 / GHSA-x2jc-989c-47q4

More information

Details

Hexo up to v7.1.1 was discovered to contain an arbitrary file read vulnerability.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-39584
• https://github.com/hexojs/hexo/issues/5250
• https://github.com/hexojs/hexo/blob/a3e68e7576d279db22bd7481914286104e867834/lib/plugins/tag/include_code.js#L49
• https://github.com/hexojs/hexo/pull/5251
• https://github.com/hexojs/hexo/commit/b5b63caee27256d71a0cee8954c22375ec885d07
• https://github.com/hexojs/hexo/blob/cefee921153ba597316457f4fedf7b87b6516917/lib/plugins/tag/include_code.ts#L50
• https://github.com/advisories/GHSA-x2jc-989c-47q4

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

hexojs/hexo (hexo)

v7.2.0

Compare Source

New Features

• feat(highlight): add an option to switch stripIndent by @​uiolee in #​5427

Improved type definitions

• refactor: refactor types by @​D-Sketon in #​5398
• chore: make callback on exit optional by @​dimaslanjaka in #​5421
• refactor: migrate typescript by @​D-Sketon in #​5417
• refactor: migrate typescript by @​D-Sketon in #​5430

Fixes

• Fix typos by @​mobeicanyue in #​5426
• fix: post_link behaviour when using subdir by @​leafbird in #​5419
• fix(tag): use url_for by @​stevenjoezhang in #​5385
• fix(tag/include_code): prevent path traversal by @​stevenjoezhang in #​5251
• revert(categories,tags): revert behavior of locals.tags and locals.categories by @​uiolee in #​5388

Refactor

• refactor: backslashes on Windows by @​stevenjoezhang in #​5457

Test

• test: add test case for issue #​4334 by @​D-Sketon in #​5465

CI/CD

• ci: suppress comment err and reduce benchmark running by @​uiolee in #​5454

Docs

• docs(README): Update Sponsors images by @​uiolee in #​5410

Dependencies

• chore(deps): bump hexo-fs from ^4.1.1 to ^4.1.3 by @​D-Sketon in #​5463
• chore(deps-dev): Limited @types/node version by @​uiolee in #​5411

New Contributors

• @​mobeicanyue made their first contribution in #​5426
• @​leafbird made their first contribution in #​5419

Full Changelog: hexojs/hexo@v7.1.1...v7.2.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coveralls]

Pull Request Test Coverage Report for Build 23759934991

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 70.588%

---

Totals
Change from base Build 8677745279:	0.0%
Covered Lines:	14
Relevant Lines:	18

---

💛 - Coveralls