[Snyk] Upgrade metalsmith from 2.3.0 to 2.6.0

[YoYBaBy]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade metalsmith from 2.3.0 to 2.6.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 7 versions ahead of your current version.
• The recommended version was released a month ago, on 2023-05-29.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: metalsmith

• 2.6.0 - 2023-05-29
  No content.
• 2.5.1 - 2022-10-07
  
  • Dependencies: 774a164
    • debug: 4.3.3 ▶︎ 4.3.4
  • Clarified semver policy in README.md
  • Added SECURITY.md

  Fixed

  • Fixes #373: do not crash when postinstall script fails in specific environments
• 2.5.0 - 2022-06-10
  

  Important note to metalsmith-watch users:
  Although 2.5.0 is a semver-minor release, it breaks compatibility with metalsmith-watch, which relies on the Metalsmith < 2.4.x private method signature using the outdated unyield package. See issue #374 for more details.

  Added

  • #354 Added Metalsmith#env method. Supports passing DEBUG and DEBUG_LOG amongst others. Sets CLI: true when run from the metalsmith CLI. b42df8c, 446c676, 33d936b, 4c483a3
  • #356 Added Metalsmith#debug method for creating plugin debuggers
  • #362 Upgraded all generator-based methods (Metalsmith#read,Metalsmith#readFile,Metalsmith#write,Metalsmith#writeFile, Metalsmith#run and Metalsmith#process) to dual callback-/ promise-based methods 16a91c5, faf6ab6, 6cb6229
  • Added org migration notification to postinstall script to encourage users to upgrade 3a11a24

  Removed

  • #231 Dropped support for Node < 12 0a53007
  • Dependencies:
    • thunkify: replaced with promise-based implementation faf6ab6
    • unyield replaced with promise-based implementation faf6ab6
    • co-fs-extra: replaced with native Node.js methods faf6ab6
    • chalk: not necessary for the few colors used by Metalsmith CLI 1dae1cb
    • clone: see #247 a871af6

  Updated

  • Restructured and updated README.md 0da0c4d
  • #247 Calling Metalsmith#metadata no longer clones the object passed to it, overwriting the previous metadata, but merges it into existing metadata.

  Fixed

  • #355 Proper path resolution for edge-cases using CLI, running metalsmith from outside or subfolder of metalsmith.directory()5d75539
• 2.4.3 - 2022-05-16
  

  Updated

  • Dependencies: 774a164
    • micromatch: 4.0.4 ▶︎ 4.0.5
  • Updated README.md

  Fixed

  • Fixes repeat metalsmith.match file cache in repeat runs without re-read, see metalsmith/layouts#183 a727309
• 2.4.2 - 2022-02-13
  

  Updated

  • Dependencies: af9dec0
    • chalk: 3.0.0 ▶︎ 4.1.2
  • Updated README.md

  Fixed

  • Fixed Metalsmith JSDoc type hints in VS code ebf82f4
• 2.4.1 - 2022-01-31
  

  Fixed

  Bugfix: include index.js in package.json files

  Unfortunately release 2.4.0 missed the index.js file and was only usable by doing require('metalsmith/lib'). For this reason the release notes from 2.4.0 are re-included below:

  Added

  • #338 Added Metalsmith#match method. Plugins no longer need to require a matching library 705c4bb, f01c724
  • #358 Added TS-style JSdocs 828b17e
  • Use native fs.rm instead of rimraf when available (Node 14.4+) fcbb76e, 66e4376
  • #226 Allow passing a gray-matter options object to Metalsmith#frontmatter a6438d2
  • Modernized dev setup ef7b781
  • Added 8 new tests (match method, front-matter options, path & symbolic link handling)
  • Files object file paths are now guaranteed to be sorted aphabetically. 4eb1184
  • #211 Metalsmith#build now returns a promise which you can attach a then/catch to or await. The build callback model is still available. 6d5a42d

  Removed

  • #231 Dropped support for Node < 8 2db47f5, 75e6878
  • Dependencies:
    • has-generators: obsolete in supported Node versions 2db47f5
    • absolute replaced with native Node path.isAbsolute c05f9e2 (@ Zearin)
    • is replaced with own implementation 7eaac9e2, 54dba0c1 (@ Zearin)
    • recursive-readdir: replaced with own implementation 4eb1184

  Updated

  • Dependencies: 75e6878

    • chalk: 1.1.3 ▶︎ 3.0.0
    • gray-matter: 2.0.0 ▶︎ 4.0.3
    • stat-mode: 0.2.0 ▶︎ 1.0.0
    • rimraf: 2.2.8 ▶︎ 3.0.2
    • ware: 1.2.0 ▶︎ 1.3.0
    • commander (used in CLI): 2.15.1 ▶︎ 6.2.1
    • win-fork (used in CLI): replaced with cross-spawn:7.0.3

  • Updated CHANGELOG.md format to follow “Keep A Changelog” (#266) (@ Zearin)

  Fixed

  • #206 Metalsmith#ignore now only matches paths relative to Metalsmith#source (as it should). See linked issue for details 4eb1184
  • #226 Metalsmith will no longer 'swallow' errors on invalid front-matter, they will be passed to Metalsmith#build a6438d2
  • Fix test error on Windows #158 (@ moozzyk)
  • #281 Metalsmith now properly handles symbolic links (will throw an ENOENT error or they can be Metalsmith#ignore'd) 4eb1184
  • #178 Metalsmith#ignore now removes the matched files before they are statted for glob-based ignores (saving some perf & potential errors).
  • #295 Metalsmith now catches all FS errors and passes them to the build callback/ thenable appropriately.

  Security

  • Replace all occurences of new Buffer with Buffer.from

  npm audit vulnerability fixes

  • Development Dependencies:
    • coveralls: 2.11.6 ▶︎ 3.0.1 (#308) (@ Zearin)
      Fix 5 “Moderate” vulnerabilities
    • metalsmith-markdown: 0.2.1 ▶︎ 0.2.2 (#312) (@ Zearin)
      Fix 1 “Low” vulnerability
• 2.4.0 - 2022-01-31
  Read more
• 2.3.0 - 2016-10-28
  

  Added

  • Add packaging metadata to build the metalsmith snap (#249)

  Updated

  • Update dependencies (#246)

  Removed

  • Remove unused dependencies

  Fixed

  • Fix error when reading a symbolic link to a dir (#229)

  Security

  • Upgrade dependency to include security fix (#258)

from metalsmith GitHub release notes

Commit messages

Package name: metalsmith

• ba18d85 Release 2.6.0
• d5ce2c8 Prepare changelog for 2.6.0
• baee1de Removes stray cross-spawn dependency & use --no-package-lock for CI
• 17e421b test: migrate from nyc to c8 for coverage reports
• 2ef473b types: fix source code link line numbers
• e12537f feat/add v0.12.8 announcement post nodejs/nodejs.org#379 - use lodash.clonedeepwith instead, document watch type, fix issues in CLI
• 9d40674 Resolves add v0.12.8 announcement post nodejs/nodejs.org#379: add metalsmith.watch option setter and watcher
• 48a0167 fix: package.json node version, type docs, readme formatting
• 3a93270 test: fix FS race condition in #build should return a promise only when callback omitted
• dbfe32a docs: Updates readme examples to ESM & Gitter link to Matrix Element
• 4469020 CLI: Fix ESM dynamic import issue with absolute paths on Windows
• 58217a5 Adds CLI support & tests for loading ESM configs or Metalsmith instances
• c272b8b ci: remove Node 12, add Node 20
• 0810728 Updates commander from 8.3.0 -> 10.0.1
• ae05945 Removes rimraf dependency, refactors helpers using fs/promises and upgrades @ types/node
• 80d8508 Drops support for Node < 14
• 3754a6a chore: Remove stray console.error log in bin
• acb363e Trims whitespace from parsed front-matter excerpt and adds test for dynamic front-matter lang
• 2bfe800 Fix: don't keep gray-matter excerpt at the start of file contents
• 7ec31d0 Adds a matter member object to metalsmith instance with stringify & parse methods
• 424e6ec Support 'module.exports = Metalsmith()'-style configs in CLI
• 82969ef dev: update devDependencies & fix security warnings
• 58db90c ci: remove obsolete Gitter notification flow
• 58d22a3 Resolves Be consistent with quotes in examples. nodejs/nodejs.org#356: adds Typescript support to Metalsmith package

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs