Skip to content

🚨 [security] Update metalsmith-prism 4.1.0 → 5.0.7 (major)#47

Open
depfu[bot] wants to merge 1 commit intomainfrom
depfu/update/npm/metalsmith-prism-5.0.7
Open

🚨 [security] Update metalsmith-prism 4.1.0 → 5.0.7 (major)#47
depfu[bot] wants to merge 1 commit intomainfrom
depfu/update/npm/metalsmith-prism-5.0.7

Conversation

@depfu
Copy link

@depfu depfu bot commented Jan 25, 2026

Welcome to Depfu 👋

This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.

After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.

Let us know if you have any questions. Thanks so much for giving Depfu a try!

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ metalsmith-prism (4.1.0 → 5.0.7) · Repo · Changelog

Release Notes

5.0.7

Changes

  • fix: use custom release notes script for cleaner GitHub releases (d2e58bb)

5.0.5

🚀 Major Improvements

Core Changes

  • Replaced debug package with Metalsmith's native debug functionality - More efficient and better integrated
  • Updated all dependencies to latest versions - Enhanced security and performance
  • Enhanced test coverage to 94.41% - More comprehensive testing with actual Metalsmith instances

Developer Experience

  • Added secure release scripts with GitHub CLI integration - Improved security for releases
  • Created comprehensive examples in README - Better documentation for users
  • Added CLAUDE.md for AI development context - Enhanced developer experience
  • Fixed ESLint configuration to match modern standards - Better code quality

Configuration Improvements

  • All configuration files now conform to MCP server templates - Standardized project structure
  • Added .nvmrc for Node version management - Consistent development environment
  • Improved package.json structure - Better dependency management

Breaking Changes

None - this release maintains full backward compatibility while modernizing the codebase.

Full Changelog: v5.0.4...v5.0.5

5.0.4

  • fix: fixed readme badges ebc3a6e
  • Update coverage badge in README 061cd5a

5.0.2

  • feat: add esm and cjs plugin e5b470e
  • fix: improve environment variable loading for release process de43f1f
  • docs: add release process documentation 05ba803
  • style: consistent code style in tests and source 1efb710
  • fix: remove unused imports in test file c4fab21
  • fix: convert release script to ESM 23d9b55

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 65 commits:

↗️ cheerio (indirect, 1.0.0-rc.12 → 1.1.2) · Repo · Changelog

Release Notes

1.1.2

What's Changed

Full Changelog: v1.1.1...v1.1.2

1.1.1

v1.1.0...v1.1.1

1.1.0

What's Changed

  • fix(attributes): support .prop on document nodes by @fb55 in #4320
  • fix(types): fix ExtractedValue type by @ben-tilden in #4334
  • Add a field browser to package.json root by @UNIDY2002 in #4033
  • Upgraded dependencies

Doc Improvements

New Contributors

Full Changelog: v1.0.0...v1.1.0

1.0.0

Cheerio 1.0 is here! 🎉

Announcement Blog Post

Breaking Changes

  • The minimum NodeJS version is now 18.17 or higher #3959

  • Import paths were simplified. For example, use cheerio/slim instead of
    cheerio/lib/slim. #3970

  • The deprecated default Cheerio instance and static methods were removed. #3974

    Before, it was possible to write code like this:

    import cheerio, { html } from 'cheerio';

    html(cheerio('<test></test>')); // ~ '<test></test>' -- NO LONGER WORKS

    Make sure to always load documents first:

    import * as cheerio from 'cheerio';

    cheerio.load('<test></test>').html();

  • Node types previously re-exported by Cheerio must now be imported directly
    from (domhandler)(https://github.com/fb55/domhandler). #3969

  • htmlparser2 options now reside exclusively under the xml key (#2916):

    const $ = cheerio.load('<html>', {
  xml: {
    withStartIndices: true,
  },
});

New Features

  • Add functions to load buffers, streams & URLs in NodeJS by @fb55 in #2857
  • Add extract method by @fb55 in #2750

Fixes

Other

Full Changelog: v1.0.0-rc.12...v1.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 7 commits:

↗️ css-select (indirect, 5.1.0 → 5.2.2) · Repo

Release Notes

5.2.1

The previous release was missing the dist directory.

Release 5.2.0 and 5.2.1 included breaking changes; 5.2.2 is a re-publish of 5.1.0

v5.2.0...v5.2.1

5.2.0

New Features

  • Cache results for subtrees; vastly speeds up :contains and :has #1025 – by @fb55
  • Add support for :read-only and :read-write pseudos #1497 – by @jed
  • Improved support for large documents #1132 – by @fb55

Fixes

  • Allow whitespace in :empty #795 – by @fb55
  • Filter queried elements inside template element #981 – by @andolf
  • Handle template tags in selectOne #1001 – by @fb55

New Contributors

Full Changelog: v5.1.0...v5.2.0

Does any of this look wrong? Please let us know.

Sorry, we couldn't find anything useful about this release.

↗️ css-what (indirect, 6.1.0 → 6.2.2)

Sorry, we couldn't find anything useful about this release.

↗️ domutils (indirect, 3.0.1 → 3.2.2) · Repo

Release Notes

3.2.2

v3.2.1...v3.2.2

3.2.1

v3.2.0...v3.2.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ entities (indirect, 4.4.0 → 4.5.0) · Repo

Release Notes

4.5.0

New Features

entities now features an EntityDecoder class that can be used to decode entities across multiple chunks. This is needed to parse streams, and will be the foundation for entity decoding in htmlparser2 and parse5.

For users of this library, the most welcome addition will be a new attribute decoding mode, which will ignore some entities that were previously parsed (eg. `foo=bar&amp=boo' will be left unchanged).

entities' decode functions all use the new decoder under the hood. There is a new decodeHTMLAttribute function for attribute parsing, and some rare edge-cases where entities diverged from the HTML spec have been eliminated.

Relevant PRs

  • feat(decode): Add EntityDecoder class by @fb55 in #1136
  • fix(decode): Handle chunks for numeric entities by @fb55 in #1146

Small Changes

Full Changelog: v4.4.0...v4.5.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ htmlparser2 (indirect, 8.0.1 → 10.1.0) · Repo

Release Notes

10.1.0

What's Changed

  • entities was bumped from 6.0.1 to 7.0.1, bringing size & speed improvements #2215
  • Test files are no longer shipped in the published module 72da671

New Contributors

  • @KTibow made their first contribution, bumping us to eslint 9 in #2204

Full Changelog: v10.0.0...v10.1.0

10.0.0

9.1.0

Fixes

Features

9.0.0

Breaking Changes

  • The tokenizer now uses the EntityDecoder from the entities module #1480
    • Parsing of entities in attributes is now aligned with the HTML spec, and some inputs will produce different results. Eg. in <a href='&amp=boo'> the attribute value won't be modified any more.
    • The ontextentity tokenizer callback now has an endIndex argument; if you use the tokenizer directly, make sure indices are still the same.
  • Stacks inside the parser have been reversed. #1511

Features

  • Added a createDocumentStream function, analogous to createDomStream (which is now deprecated) #1510

Full Changelog: v8.0.2...v9.0.0

8.0.2

Bug Fixes

  • Reset tokenizer baseState after closing tag name by @KillyMXI in #1460

Other changes

  • Dependency version bumps
  • GitHub Workflows security hardening by @sashashura in #1365
  • refactor(lint): Add eslint-plugin-n and -unicorn by @fb55 in #1352
  • chore(test): Move from JSON tests to specs by @fb55 in #1354
  • docs(readme): Use GitHub Actions CI badge by @fb55 in #1374

New Contributors

Full Changelog: v8.0.1...v8.0.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ parse5 (indirect, 7.1.1 → 7.3.0) · Repo

Release Notes

7.3.0

What's Changed

New Contributors

Full Changelog: v7.2.1...v7.3.0

7.2.1

What's Changed

  • chore(deps-dev): bump typescript from 5.6.2 to 5.6.3 by @dependabot in #1292
  • chore(deps-dev): bump globals from 15.10.0 to 15.11.0 by @dependabot in #1293
  • chore(deps): bump coverallsapp/github-action from 2.3.0 to 2.3.1 by @dependabot in #1294
  • chore(deps-dev): bump typedoc from 0.26.8 to 0.26.9 by @dependabot in #1295
  • chore(deps): bump github/codeql-action from 3.26.11 to 3.26.13 by @dependabot in #1297
  • chore(deps-dev): bump typescript-eslint from 8.8.1 to 8.9.0 by @dependabot in #1298
  • chore(deps): bump coverallsapp/github-action from 2.3.1 to 2.3.2 by @dependabot in #1300
  • chore(deps-dev): bump typedoc from 0.26.9 to 0.26.10 by @dependabot in #1301
  • chore(deps): bump coverallsapp/github-action from 2.3.2 to 2.3.3 by @dependabot in #1302
  • chore(deps-dev): bump typescript-eslint from 8.9.0 to 8.10.0 by @dependabot in #1304
  • chore(deps-dev): bump eslint from 9.12.0 to 9.13.0 by @dependabot in #1305
  • chore(deps-dev): bump @eslint/js from 9.12.0 to 9.13.0 by @dependabot in #1306
  • chore(deps-dev): bump typescript-eslint from 8.10.0 to 8.11.0 by @dependabot in #1307
  • chore(deps): bump github/codeql-action from 3.26.13 to 3.27.0 by @dependabot in #1308
  • chore(deps): bump actions/checkout from 4.2.1 to 4.2.2 by @dependabot in #1309
  • chore(deps-dev): bump @types/jest from 29.5.13 to 29.5.14 by @dependabot in #1310
  • chore(deps): bump actions/setup-node from 4.0.4 to 4.1.0 by @dependabot in #1311
  • fix: export tree adapter types as namespace to support TS4.x by @43081j in #1313
  • chore: bump parse5 to 7.2.1 by @43081j in #1314

Full Changelog: v7.2.0...v7.2.1

7.1.2

This release includes parse5 and parse5-parser-stream.

Full Changelog: v7.1.0...v7.1.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ parse5-htmlparser2-tree-adapter (indirect, 7.0.0 → 7.1.0) · Repo

Release Notes

7.1.0

This release is only for the parse5 module.

What's Changed

New Contributors

Full Changelog: v7.0.0...v7.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ prismjs (indirect, 1.29.0 → 1.30.0) · Repo · Changelog

Security Advisories 🚨

🚨 PrismJS DOM Clobbering vulnerability

Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.

Release Notes

1.30.0

What's Changed

New Contributors

Full Changelog: v1.29.0...v1.30.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 7 commits:

🆕 encoding-sniffer (added, 0.2.1)

🆕 parse5-parser-stream (added, 7.1.2)

🆕 undici (added, 7.19.1)

🆕 whatwg-encoding (added, 3.1.1)

🆕 whatwg-mimetype (added, 4.0.0)

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu bot added the depfu label Jan 25, 2026
@depfu depfu bot mentioned this pull request Jan 25, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

depfu

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants