[Snyk] Security upgrade hexo from 3.3.9 to 7.2.0

[ekmixon]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • site/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Directory Traversal SNYK-JS-HEXO-5889980	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: hexo

The new version differs by 250 commits.

• 90b107c release: 7.2.0 (#5453)
• 4fec0e0 test: add test case for issue #4334 (#5465)
• 43fcce3 ci: suppress comment err and reduce benchmark running (#5454)
• b5b63ca fix(tag/include_code): prevent path traversal (#5251)
• cefee92 chore(deps): bump hexo-fs from ^4.1.1 to ^4.1.3 (#5463)
• b6ebbca fix(categories,tags): revert behavior of locals.tags and locals.categories (#5388)
• 80dafe2 refactor: backslashes on Windows (#5457)
• 94f6ad3 fix(tag): use url_for (#5385)
• d7ad401 feat(highlight): add an option to switch stripIndent (#5427)
• a3b9638 refactor: migrate typescript (#5430)
• 3c7729d refactor: migrate typescript (#5417)
• 7ef26ad fix(tag/post_link): support url with subdir (#5419)
• 6cf6993 test: fix typos (#5426)
• 6bf9e6c chore: make callback on exit optional (#5421)
• bc53720 docs(README): Update Sponsors images (#5410)
• 1b569a8 chore(deps-dev): Limited `@ types/node` version (#5411)
• ee4bc8e refactor: refactor types (#5398)
• bb489cb release: 7.1.1 (#5405)
• b6de85a fix(escapeTags): escape tag which includes line break (#5402)
• e67c1f1 chore: use `prepublishOnly` instead of `prepublish` and run `npm install` in `prepublishOnly` script (#5399)
• 282e49a release: 7.1.0 (#5397)
• c1c5aaa fix(escapeAllSwigTags): check tag completeness (#5395)
• 86350d9 refactor: refactor types (#5344)
• 6a91fb6 fix: permalink should be overwritten when post_asset_folder is true (#5254)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Directory Traversal

[secure-code-warrior-for-github]

Micro-Learning Topic: Directory traversal (Detected by phrase)

Matched on "Directory Traversal"

What is this? (2min video)

Path traversal vulnerabilities occur when inputs that have not been sufficiently validated or sanitised are used to build directory or file paths. If an attacker can influence the path being accessed by the server, they may be able to gain unauthorised access to files or even execute arbitrary code on the server (when coupled with file upload functionality).

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Input Validation Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing injection and input validation flaws in your applications, including defence against path traversal.
• OWASP Path Traversal - OWASP community page with comprehensive information about path traversal, and links to various OWASP resources to help detect or prevent it.

Micro-Learning Topic: Path traversal (Detected by phrase)

Matched on "path traversal"

What is this? (2min video)

Path traversal vulnerabilities occur when inputs that have not been sufficiently validated or sanitised are used to build directory or file paths. If an attacker can influence the path being accessed by the server, they may be able to gain unauthorised access to files or even execute arbitrary code on the server (when coupled with file upload functionality).

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Input Validation Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing injection and input validation flaws in your applications, including defence against path traversal.
• OWASP Path Traversal - OWASP community page with comprehensive information about path traversal, and links to various OWASP resources to help detect or prevent it.

[sourcery-ai]

We have skipped reviewing this pull request. Here's why:

• It seems to have been created by a bot ('[Snyk]' found in title). We assume it knows what it's doing!
• We don't review packaging changes - Let us know if you'd like us to change this.