[Snyk] Upgrade metalsmith from 2.3.0 to 2.5.0

[YoYBaBy]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade metalsmith from 2.3.0 to 2.5.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 5 versions ahead of your current version.
• The recommended version was released 3 months ago, on 2022-06-10.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: metalsmith

• 2.5.0 - 2022-06-10
  

  Important note to metalsmith-watch users:
  Although 2.5.0 is a semver-minor release, it breaks compatibility with metalsmith-watch, which relies on the Metalsmith < 2.4.x private method signature using the outdated unyield package. See issue #374 for more details.

  Added

  • #354 Added Metalsmith#env method. Supports passing DEBUG and DEBUG_LOG amongst others. Sets CLI: true when run from the metalsmith CLI. b42df8c, 446c676, 33d936b, 4c483a3
  • #356 Added Metalsmith#debug method for creating plugin debuggers
  • #362 Upgraded all generator-based methods (Metalsmith#read,Metalsmith#readFile,Metalsmith#write,Metalsmith#writeFile, Metalsmith#run and Metalsmith#process) to dual callback-/ promise-based methods 16a91c5, faf6ab6, 6cb6229
  • Added org migration notification to postinstall script to encourage users to upgrade 3a11a24

  Removed

  • #231 Dropped support for Node < 12 0a53007
  • Dependencies:
    • thunkify: replaced with promise-based implementation faf6ab6
    • unyield replaced with promise-based implementation faf6ab6
    • co-fs-extra: replaced with native Node.js methods faf6ab6
    • chalk: not necessary for the few colors used by Metalsmith CLI 1dae1cb
    • clone: see #247 a871af6

  Updated

  • Restructured and updated README.md 0da0c4d
  • #247 Calling Metalsmith#metadata no longer clones the object passed to it, overwriting the previous metadata, but merges it into existing metadata.

  Fixed

  • #355 Proper path resolution for edge-cases using CLI, running metalsmith from outside or subfolder of metalsmith.directory()5d75539
• 2.4.3 - 2022-05-16
  

  Updated

  • Dependencies: 774a164
    • micromatch: 4.0.4 ▶︎ 4.0.5
  • Updated README.md

  Fixed

  • Fixes repeat metalsmith.match file cache in repeat runs without re-read, see metalsmith/layouts#183 a727309
• 2.4.2 - 2022-02-13
  

  Updated

  • Dependencies: af9dec0
    • chalk: 3.0.0 ▶︎ 4.1.2
  • Updated README.md

  Fixed

  • Fixed Metalsmith JSDoc type hints in VS code ebf82f4
• 2.4.1 - 2022-01-31
  

  Fixed

  Bugfix: include index.js in package.json files

  Unfortunately release 2.4.0 missed the index.js file and was only usable by doing require('metalsmith/lib'). For this reason the release notes from 2.4.0 are re-included below:

  Added

  • #338 Added Metalsmith#match method. Plugins no longer need to require a matching library 705c4bb, f01c724
  • #358 Added TS-style JSdocs 828b17e
  • Use native fs.rm instead of rimraf when available (Node 14.4+) fcbb76e, 66e4376
  • #226 Allow passing a gray-matter options object to Metalsmith#frontmatter a6438d2
  • Modernized dev setup ef7b781
  • Added 8 new tests (match method, front-matter options, path & symbolic link handling)
  • Files object file paths are now guaranteed to be sorted aphabetically. 4eb1184
  • #211 Metalsmith#build now returns a promise which you can attach a then/catch to or await. The build callback model is still available. 6d5a42d

  Removed

  • #231 Dropped support for Node < 8 2db47f5, 75e6878
  • Dependencies:
    • has-generators: obsolete in supported Node versions 2db47f5
    • absolute replaced with native Node path.isAbsolute c05f9e2 (@ Zearin)
    • is replaced with own implementation 7eaac9e2, 54dba0c1 (@ Zearin)
    • recursive-readdir: replaced with own implementation 4eb1184

  Updated

  • Dependencies: 75e6878

    • chalk: 1.1.3 ▶︎ 3.0.0
    • gray-matter: 2.0.0 ▶︎ 4.0.3
    • stat-mode: 0.2.0 ▶︎ 1.0.0
    • rimraf: 2.2.8 ▶︎ 3.0.2
    • ware: 1.2.0 ▶︎ 1.3.0
    • commander (used in CLI): 2.15.1 ▶︎ 6.2.1
    • win-fork (used in CLI): replaced with cross-spawn:7.0.3

  • Updated CHANGELOG.md format to follow “Keep A Changelog” (#266) (@ Zearin)

  Fixed

  • #206 Metalsmith#ignore now only matches paths relative to Metalsmith#source (as it should). See linked issue for details 4eb1184
  • #226 Metalsmith will no longer 'swallow' errors on invalid front-matter, they will be passed to Metalsmith#build a6438d2
  • Fix test error on Windows #158 (@ moozzyk)
  • #281 Metalsmith now properly handles symbolic links (will throw an ENOENT error or they can be Metalsmith#ignore'd) 4eb1184
  • #178 Metalsmith#ignore now removes the matched files before they are statted for glob-based ignores (saving some perf & potential errors).
  • #295 Metalsmith now catches all FS errors and passes them to the build callback/ thenable appropriately.

  Security

  • Replace all occurences of new Buffer with Buffer.from

  npm audit vulnerability fixes

  • Development Dependencies:
    • coveralls: 2.11.6 ▶︎ 3.0.1 (#308) (@ Zearin)
      Fix 5 “Moderate” vulnerabilities
    • metalsmith-markdown: 0.2.1 ▶︎ 0.2.2 (#312) (@ Zearin)
      Fix 1 “Low” vulnerability
• 2.4.0 - 2022-01-31
  

  Unfortunately this release missed the index.js file and is only usable by doing require('metalsmith/lib'). This has quickly been fixed in 2.4.1 and the release notes ported to it

  Added

  • #338 Added Metalsmith#match method. Plugins no longer need to require a matching library 705c4bb, f01c724
  • #358 Added TS-style JSdocs 828b17e
  • Use native fs.rm instead of rimraf when available (Node 14.4+) fcbb76e, 66e4376
  • #226 Allow passing a gray-matter options object to Metalsmith#frontmatter a6438d2
  • Modernized dev setup ef7b781
  • Added 8 new tests (match method, front-matter options, path & symbolic link handling)
  • Files object file paths are now guaranteed to be sorted aphabetically. 4eb1184
  • #211 Metalsmith#build now returns a promise which you can attach a then/catch to or await. The build callback model is still available. 6d5a42d

  Removed

  • #231 Dropped support for Node < 8 2db47f5, 75e6878
  • Dependencies:
    • has-generators: obsolete in supported Node versions 2db47f5
    • absolute replaced with native Node path.isAbsolute c05f9e2 (@ Zearin)
    • is replaced with own implementation 7eaac9e2, 54dba0c1 (@ Zearin)
    • recursive-readdir: replaced with own implementation 4eb1184

  Updated

  • Dependencies: 75e6878

    • chalk: 1.1.3 ▶︎ 3.0.0
    • gray-matter: 2.0.0 ▶︎ 4.0.3
    • stat-mode: 0.2.0 ▶︎ 1.0.0
    • rimraf: 2.2.8 ▶︎ 3.0.2
    • ware: 1.2.0 ▶︎ 1.3.0
    • commander (used in CLI): 2.15.1 ▶︎ 6.2.1
    • win-fork (used in CLI): replaced with cross-spawn:7.0.3

  • Updated CHANGELOG.md format to follow “Keep A Changelog” (#266) (@ Zearin)

  Fixed

  • #206 Metalsmith#ignore now only matches paths relative to Metalsmith#source (as it should). See linked issue for details 4eb1184
  • #226 Metalsmith will no longer 'swallow' errors on invalid front-matter, they will be passed to Metalsmith#build a6438d2
  • Fix test error on Windows #158 (@ moozzyk)
  • #281 Metalsmith now properly handles symbolic links (will throw an ENOENT error or they can be Metalsmith#ignore'd) 4eb1184
  • #178 Metalsmith#ignore now removes the matched files before they are statted for glob-based ignores (saving some perf & potential errors).
  • #295 Metalsmith now catches all FS errors and passes them to the build callback/ thenable appropriately.

  Security

  • Replace all occurences of new Buffer with Buffer.from

  npm audit vulnerability fixes

  • Development Dependencies:
    • coveralls: 2.11.6 ▶︎ 3.0.1 (#308) (@ Zearin)
      Fix 5 “Moderate” vulnerabilities
    • metalsmith-markdown: 0.2.1 ▶︎ 0.2.2 (#312) (@ Zearin)
      Fix 1 “Low” vulnerability
• 2.3.0 - 2016-10-28
  Read more

from metalsmith GitHub release notes

Commit messages

Package name: metalsmith

• 3a0517c Release 2.5.0
• e988eaa chore: Final JSDoc updates & changelog fixes
• c44edb2 chore: prepare changelog for 2.5.x
• 366dae1 chore: npm update
• 3a11a24 feat: add org migration notification to postinstall script
• 09f5bbd dev: Update devDependencies
• 7df9157 chore: Remove accidentally included local test files
• 880c5d7 fix: remove stray this._files assignment, cfr release 2.4.3 compat
• 63d784c Security: npm audit fix
• 0a53007 chore: update supported Node versions & CI to >=12
• 8ca017f chore: enable ESlint for tests & fix issues
• 1eea24b Merge branch 'docs/readme-examples' into release/2.5.x
• 91e2f46 Merge branch 'feature/[Snyk] Upgrade sass from 1.29.0 to 1.75.0 #259-debug-method' into release/2.5.x
• 7d39a76 Finalize [Snyk] Upgrade sass from 1.29.0 to 1.75.0 #259: Metalsmith#debug first implementation
• c21026a docs: update README.md for 2.5
• 7bd37eb docs: Update examples package.json & syntax
• b8b05cc Updates README.md with relevant links, restructured sections
• 5d75539 Resolves Travis PR integration broken nodejs/nodejs.org#355: proper path resolution for edge-cases using CLI
• 1dae1cb Reworks CLI logging, removes chalk dependency
• 4c483a3 Implements env in CLI with var expansion; sets metalsmith.env('CLI', true) flag; part of adding collaborators, Nov 2015 nodejs/nodejs.org#354
• a753b51 Merge branch 'release/2.5.x' into feature/[Snyk] Upgrade sass from 1.29.0 to 1.75.0 #259-debug-method
• 2666846 Merge master into release/2.5.x & fix conflicts
• 40a7de8 Release 2.4.3
• cec2ce4 chore: Update changelog

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs