[Security] Bump reveal.js from 3.7.0 to 3.9.2

[dependabot-preview]

Bumps reveal.js from 3.7.0 to 3.9.2. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Cross-site Scripting in reveal.js Insufficient validation in cross-origin communication (postMessage) in reveal.js version 3.9.1 and earlier allow attackers to perform cross-site scripting attacks.

Affected versions: <= 3.9.1

Release notes

Sourced from reveal.js's releases.

3.9.2

Fixes a security vulnerability in the postMessage API. The follow methods are now blacklisted and can not be called via the postMessage API: registerPlugin, registerKeyboardShortcut, addKeyBinding, addEventListener.

3.9.1

This version contains no changes. It was only released to bump the published version on npm.

3.9.0 was published to npm with local edits 🤦‍♂️

3.9.0

Changes:

• Adds step-by-step code highlights! Step through multiple line highlights on the same code block.
• Adds postMessage callbacks. Makes it possible to use the postMessage API to invoke reveal.js methods with return values.
• The pacing timer functionality now accepts a total time for the whole presentation. Timing was previously worked out on a per-slide level. (#2400 by longtime reveal.js contributor @​fghaas!)
• Background iframes no longer preload by default. They load when you arrive at the given slide. This unifies the behavior of in-slide and background iframes. Learn how to turn on preloading.
• The slide number format specified through slideNumber is now honored in PDF exports. (#2337 by @​dougalsutherland) (4c557a5959b3ad909056df6cb46c5bf56a0da8ee)
• Adds data-fragment=<index> to any slide with fragments in it. This lets you target specific fragment states with CSS like section[data-fragment="2"] { ... }.
• Adds Reveal.getHorizontalSlides() and Reveal. getVerticalSlides() for getting all horizontal/vertical slides in a deck.
• Adds Reveal.hasHorizontalSlides() and Reveal. hasVerticalSlides() for checking whether or not a deck contains any horizontal or vertical slides.
• Adds mobileViewDistance configuration option. Mobile view distance was previously hardcoded at 2. (#2513 by @​TuurDutoit)
• Adds allow="autoplay" to iframes to comply with Chrome's Autoplay Policy Changes (#2437 by @​TehDmitry)
• Switches to CSS transforms to scale decks up on HDPI displays. Previous use of CSS zoom produced sharper results but led to side effects such as iframes not scaling with the deck content.
• Switches first/last slide keyboard shortcuts from ⌘←/⌘→ to Shift←/Shift→. The old shortcut conflicted with browser back/forward.
• Updates highlight.js from 9.11.0 to 9.18.0

Bug fixes:

• Fixes an issue where the navigation down-arrow was blocked by the progress bar (#2410 by @​NoriSte).
• Fixes swipe navigation for decks with navigationMode set to linear (#2416 by @​earboxer).
• Fixes vertical overflow in iPadOS Safari.
• Fixes inconsistent fragment slide animations by translating by a fixed unit.
• Fixes failing npm install because of outdated dependencies.
• Fixes exception when highlighting empty code blocks.

And more...

3.8.0

Changes:

• The cursor is now automatically hidden after five seconds of inactivity. The timeout can be adjusted with hideCursorTime: <milliseconds>, or you can disable the feature entirely with hideInactiveCursor: false.
• Presentations can be zoomed on touch devices using the standard pinch-to-zoom gestures.
• New navigationMode: <default/linear/grid> config option. Set to "grid" to navigate across adjacent vertical stacks. Learn more in the docs. (#2307)
• New hash: <boolean> config option. When set to true, reveal.js will reflect the current slide in the address bar without pushing each slide change to the browser history. (#2286 by @​asottile)
• New preloadIframes config option for flagging if iframes should be preloaded or not. Can be set per-frame using the data-preload attribute. More info. (#2354 by @​maxrothman)
• A resize event is now dispatched anytime the presentation scale changes. (#2300 by @​mw75)
• The "Resume" button in the pause overlay is hidden if controls are set to false. (#2215 by @​anderslemke)
• New keyboard shortcut: CMD/CTRL + left or right arrow to go to first or last slide.
• Adds Reveal.getRevealElement() for retrieving the presentation's root element (<div class="reveal">).
• Removes Head JS as it is no longer required to load dependencies.
• Removes classList polyfill since browser support caught up.
• Removes the reset styles from reveal.css to make styles easier to override. Reset styles are now included as a separate reset.css file. (6abc6e00581e66690416978de118145e854c3c1e #1952 & #2248)
• The zoom transition now zooms between all slides, previously it zoomed between horizontal slides and used a slide transition between vertical.

... (truncated)

Commits

• 94d98ff 3.9.2 security release
• b6cc6b4 blacklist some method from the postMessage API to prevent XSS
• d213fac add note about supporting reveal.js via Slides
• eaf3988 3.9.1 because a local edit made it into npm
• 003a848 update to highlight.js 9.18.0 #2562
• 33ed32c add step-by-step highlights to readme
• 8a54118 npm audit fix 😶
• 45f468c 3.9.0
• a59b141 Merge branch 'pdf-slide-numbers' of https://github.com/dougalsutherland/revea...
• 281b518 Merge pull request #2499 from jocaml/patch-1
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)