chore(deps): update dependency hexo to v7 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
hexo (source)	6.3.0 -> 7.2.0

GitHub Vulnerability Alerts

CVE-2023-39584

Hexo up to v7.1.1 was discovered to contain an arbitrary file read vulnerability.

---

Release Notes

hexojs/hexo (hexo)

v7.2.0

Compare Source

New Features

• feat(highlight): add an option to switch stripIndent by @​uiolee in #​5427

Improved type definitions

• refactor: refactor types by @​D-Sketon in #​5398
• chore: make callback on exit optional by @​dimaslanjaka in #​5421
• refactor: migrate typescript by @​D-Sketon in #​5417
• refactor: migrate typescript by @​D-Sketon in #​5430

Fixes

• Fix typos by @​mobeicanyue in #​5426
• fix: post_link behaviour when using subdir by @​leafbird in #​5419
• fix(tag): use url_for by @​stevenjoezhang in #​5385
• fix(tag/include_code): prevent path traversal by @​stevenjoezhang in #​5251
• revert(categories,tags): revert behavior of locals.tags and locals.categories by @​uiolee in #​5388

Refactor

• refactor: backslashes on Windows by @​stevenjoezhang in #​5457

Test

• test: add test case for issue #​4334 by @​D-Sketon in #​5465

CI/CD

• ci: suppress comment err and reduce benchmark running by @​uiolee in #​5454

Docs

• docs(README): Update Sponsors images by @​uiolee in #​5410

Dependencies

• chore(deps): bump hexo-fs from ^4.1.1 to ^4.1.3 by @​D-Sketon in #​5463
• chore(deps-dev): Limited @types/node version by @​uiolee in #​5411

New Contributors

• @​mobeicanyue made their first contribution in #​5426
• @​leafbird made their first contribution in #​5419

Full Changelog: hexojs/hexo@v7.1.1...v7.2.0

v7.1.1

Compare Source

Fixes

• fix(escapeTags): escape tag which includes line break by @​uiolee in #​5402

Misc

• chore: use prepublishOnly instead of prepublish and run npm install in prepublishOnly script by @​yoshinorin in #​5399

Full Changelog: hexojs/hexo@v7.1.0...v7.1.1

v7.1.0

Compare Source

Notable Changes

• chore(Hexo): add event emitter descriptor by @​dimaslanjaka in #​5302
• refactor: refactor types by @​D-Sketon in #​5344

New Features

• Added URL hash support for post_link tag by @​iliayatsenko in #​5356

Fixes

• fix(types): cast from number to string explicitly by @​yoshinorin in #​5342
• fix: permalink should be overwritten when post_asset_folder is true by @​D-Sketon in #​5254
• fix(escapeAllSwigTags): check tag completeness by @​uiolee in #​5395

CI/CD

• ci(commenter): use workflows_run event to comment flamegraph by @​uiolee in #​5384
• ci(benchmark): add PR permissions for comment by @​uiolee in #​5334

Dependencies

• chore: bump typescript from 4.9.5 to 5.3.2 by @​dependabot in #​5358
• chore(deps-dev): remove @​ts/eslint-plugin, parser by @​uiolee in #​5290
• chore: bump c8 from 8.0.1 to 9.0.0 by @​dependabot in #​5391
• chore(dev-deps): bump sinon from 15.2.0 to 17.0.1 by @​dependabot in #​5343
• chore(dev-deps): bump lint-staged from 14.0.1 to 15.2.0 by @​dependabot in #​5373

New Contributors

• @​iliayatsenko made their first contribution in #​5356

Full Changelog: hexojs/hexo@v7.0.0...v7.1.0

v7.0.0

Compare Source

Migration Guide

built-in tags

WARNING
Some of the built-in tags have been dropped (gist, youtube, jsfiddle, and vimeo). If you use those tags in your existing blog posts, you can install hexo-tag-embed to continue using them with Hexo v7.0.0.

Note
No need to install it if you are not using (or will not use) gist, youtube, jsfiddle, vimeo tags in your post or page.

$ npm i hexo-tag-embed

Syntax highlighting

WARNING
Syntax highlighting is refactored and controlled by the following settings. See Syntax Highlighting for more details.

syntax_highlighter: highlight.js # highlight.js | prismjs | <empty>

Breaking Changes

• chore: require node14+ by @​yoshinorin in #​5061
• Dropped tag features. Please see Migration Guid section.
  • refactor: drop gist tag by @​yoshinorin in #​5067
  • refactor: drop youtube tag by @​yoshinorin in #​5064
  • refactor: drop jsfiddle tag by @​yoshinorin in #​5066
  • refactor: drop vimeo tag by @​yoshinorin in #​5065
• Dropped features
  • refactor: drop external_link boolean type by @​yoshinorin in #​5063
  • refactor: drop use_date_for_updated option for updated_option by @​yoshinorin in #​5062
  • feat(post): remove front-matter property link (#​5253) by @​stevenjoezhang in #​5253
• revert: Access data files from source folder (#​1969) (#​5325) by @​stevenjoezhang in #​5325
• refactor highlight: add extend api for highlight by @​stevenjoezhang in #​5095

Notable Changes

• Migrate TypeSctipt
  • refactor: prepare for migration to typescript by @​stevenjoezhang in #​5094
  • refactor: migrate typescript by @​stevenjoezhang in #​5092
  • Refactor types by @​Pcrab in #​5178

New Features

• feat(tags/post_link): search for both slug and title by @​stevenjoezhang in #​5114
• feat(open_graph): drop google_plus by @​stevenjoezhang in #​5115
• feat(tags/img): support quotes in img title and alt by @​stevenjoezhang in #​5112
• feat(console-new): support default title from path by @​xu-song in #​4714
• feat: add an option to disable titlecase in post by @​renbaoshuo in #​5156
• feat: add exclude_languages feature to prismjs by @​D-Sketon in #​5182
• feat(tags/post_link): use slug when title is empty by @​stevenjoezhang in #​5220
• feat: add url_for and full_url_for tag plugins by @​D-Sketon in #​5198
• feat: allow top-level await in plugins or scripts by @​Pcrab in #​5228
• feat: define global variable hexo (#​5242) by @​dimaslanjaka in #​5242

Fixes

• fix(#​1099): hexo server error when changing the config by @​D-Sketon in #​5055
• fix: exclude_languages does not work in code blocks by @​stevenjoezhang in #​5088
• When promisifying, store does not preserve disableNunjucks property by @​tcr in #​2670
• fix(post): skip before_post_render and after_post_render on non-posts by @​stevenjoezhang in #​5118
• fix: Failed to create post with special character title by @​D-Sketon in #​5149
• fix(box): check for invalid file by @​stevenjoezhang in #​5173
• fix(backtick_code): handle empty code block by @​stevenjoezhang in #​5206
• fix(moize): helper function not working fine with relative_url by @​D-Sketon in #​5217
• fix(post): skip_render not working in post_asset_folder (#​5258) by @​D-Sketon in #​5258
• Revert "fix(backtick_code): handle empty code blocks (#​5206)" (#​5257) by @​stevenjoezhang in #​5257
• fix(post-asset): strip extensions better on permalink (#​5153) by @​KagamigawaMeguri in #​5153
  • Reverted in: Revert "fix(post-asset): strip extensions better on permalink (#​5153)" (#​5308) by @​stevenjoezhang in #​5308

Performance

• perf: reduce the number of traversals through posts by @​stevenjoezhang in #​5119
• perf(post): cache tags getter (#​5145) by @​SukkaW in #​5145

Refactor

• refactor: use the WHATWG URL API instead of url.resolve by @​yoshinorin in #​5136

CI/CD

• ci: reduce the running of ci (#​5282) by @​uiolee in #​5282
• ci: reduce the running of ci (#​5291) by @​uiolee in #​5291

Dependencies

• chore: bump sinon from 13.0.2 to 14.0.0 by @​dependabot in #​4965
• chore: bump lint-staged from 11.2.6 to 13.0.3 by @​dependabot in #​5008
• chore: bump husky from 7.0.4 to 8.0.1 by @​dependabot in #​4966
• chore: bump hexo-fs from 3.1.0 to 4.0.0 by @​dependabot in #​5077
• chore: bump hexo-renderer-marked from 5.0.0 to 6.0.0 by @​dependabot in #​5081
• chore: bump hexo-front-matter from 3.0.0 to 4.0.0 by @​dependabot in #​5087
• chore: bump abbrev from 1.1.1 to 2.0.0 by @​dependabot in #​5093
• chore: bump hexo-i18n from 1.0.0 to 2.0.0 by @​dependabot in #​5099
• chore: bump hexo-util from 2.7.0 to 3.0.1 by @​dependabot in #​5107
• chore: bump warehouse from 4.0.2 to 5.0.0 by @​dependabot in #​5101
• chore(deps): update hexo-log from 3.2.0 to 4.0.1 by @​yoshinorin in #​5096
• chore: bump sinon from 14.0.2 to 15.0.0 by @​dependabot in #​5121
• chore: change dependencies version by @​Pcrab in #​5202
• chore: bump c8 from 7.14.0 to 8.0.0 (#​5227) by @​dependabot in #​5227

Test

• test(benchmark): update hexo-many-posts repo by @​SukkaW in #​5128
• test(list_route): improve coverage by @​stevenjoezhang in #​5097
• test: improve coverage by @​D-Sketon in #​5221
• test: improve coverage by @​D-Sketon in #​5223

Misc

• fix typo (#​5245) by @​stevenjoezhang in #​5245
• chore(github): delete other issue template (#​5248) by @​yoshinorin in #​5248
• chore(lint-staged): remove git-exec-and-restage (#​5281) by @​uiolee in #​5281
• chore(github): use github issue form (#​5319) by @​uiolee in #​5319

New Contributors

• @​D-Sketon made their first contribution in #​5055
• @​xu-song made their first contribution in #​4714
• @​tcr made their first contribution in #​2670
• @​Pcrab made their first contribution in #​5178
• @​KagamigawaMeguri made their first contribution in #​5153
• @​dimaslanjaka made their first contribution in #​5242
• @​uiolee made their first contribution in #​5281

Full Changelog

---

Appendix: Changes between v7.0.0(RC2) and v7.0.0

Breaking Changes

• revert: Access data files from source folder (#​1969) (#​5325) by @​stevenjoezhang in #​5325
• feat(post): remove front-matter property link (#​5253) by @​stevenjoezhang in #​5253

New Feature

• feat: define global variable hexo (#​5242) by @​dimaslanjaka in #​5242

Performance

• perf(post): cache tags getter (#​5145) by @​SukkaW in #​5145

Fixes

• fix(post): skip_render not working in post_asset_folder (#​5258) by @​D-Sketon in #​5258
• Revert "fix(backtick_code): handle empty code blocks (#​5206)" (#​5257) by @​stevenjoezhang in #​5257
• fix(post-asset): strip extensions better on permalink (#​5153) by @​KagamigawaMeguri in #​5153
  • Reverted in: Revert "fix(post-asset): strip extensions better on permalink (#​5153)" (#​5308) by @​stevenjoezhang in #​5308

CI/CD

• ci: reduce the running of ci (#​5282) by @​uiolee in #​5282
• ci: reduce the running of ci (#​5291) by @​uiolee in #​5291

Dependencies

• chore: bump c8 from 7.14.0 to 8.0.0 (#​5227) by @​dependabot in #​5227

Misc

• fix typo (#​5245) by @​stevenjoezhang in #​5245
• chore(github): delete other issue template (#​5248) by @​yoshinorin in #​5248
• chore(lint-staged): remove git-exec-and-restage (#​5281) by @​uiolee in #​5281
• chore(github): use github issue form (#​5319) by @​uiolee in #​5319

Full Changelog

hexojs/hexo@v7.0.0-rc2...v7.0.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: packages/demo/package-lock.json

npm warn Unknown env config "store". This will stop working in the next major version of npm.
npm error code EUNSUPPORTEDPROTOCOL
npm error Unsupported URL Type "workspace:": workspace:^
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2025-12-03T19_09_17_177Z-debug-0.log

[netlify]

✅ Deploy Preview for nexmoe-demo canceled.

Name	Link
🔨 Latest commit	c48bf1c
🔍 Latest deploy log	https://app.netlify.com/projects/nexmoe-demo/deploys/69308aec1fe5e30008d65353

[cloudflare-workers-and-pages]

Deploying hexo-theme-nexmoe with    Cloudflare Pages

Latest commit:	c48bf1c
Status:	✅  Deploy successful!
Preview URL:	https://8cacc091.hexo-theme-nexmoe-9ad.pages.dev
Branch Preview URL:	https://renovate-npm-hexo-vulnerabil.hexo-theme-nexmoe-9ad.pages.dev

View logs