fix(deps): update dependency hexo to v6 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
hexo (source)	^5.4.0 -> ^6.0.0

GitHub Vulnerability Alerts

CVE-2021-25987

Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post “body” and “tags” don’t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.

---

Release Notes

hexojs/hexo (hexo)

v6.0.0

Compare Source

Breaking Changes

• Drop Node 10 @​stevenjoezhang [#​4779, #​4691]

Security

• Escape HTML by default in list_tag @​tomap [#​4743]

Please see more detail: Announcement: About CVE-2021-25987

New features

• feat: load hexo plugin in the theme's package.json @​stevenjoezhang [#​4771]
• feat(open_graph): different URLs for og:image and twitter:image @​KentarouTakeda [#​4748]

Performance

• perf(tag/helper): memoize @​SukkaW [#​4789]
• perf(external_link): optimize regex @​SukkaW [#​4790]
• refactor/perf: use nanocolors @​SukkaW [#​4788]
• Switch to picocolors @​tomap [#​4825]
• perf: avoid using delete operator @​SukkaW [#​4711]
• perf: overall improvements @​SukkaW [#​4783]
• refactor/perf(post): use state machine to escape swig tag @​SukkaW [#​4780]
• refactor: refactor pagination - paginatorHelper - pagenasionPartShow @​CroMarmot [#​4662]

Fixes

• fix(post): escape swig full tag with args @​stevenjoezhang [#​4824]
• fix(processor): remove race condition failsafe @​SukkaW [#​4791]
• fix(#​4780): curly brackets @​SukkaW [#​4784]
• fix(#​4780): empty tag name correction @​SukkaW [#​4786]
• Generate draft assets in draft mode @​darekkay [#​4563]

Refactor

• refactor: native Array.flat() @​curbengh [#​4806]

Docs

• doc: add homebrew install @​chenrui333 [#​4724]
• doc(extend/console): add jsdoc @​SukkaW [#​4500]

Dependencies

• Cleanup dependabot @​tomap [#​4820]
• chore: bump actions/stale from 3 to 4 @​dependabot [#​4828]
• chore: bump sinon from 11.1.2 to 12.0.1 @​dependabot [#​4810]
• chore: bump eslint from 7.32.0 to 8.0.0 @​dependabot [#​4799]
• chore: bump hexo-log from 2.0.0 to 3.0.0 @​dependabot [#​4794]
• chore: bump husky from 4.3.8 to 7.0.2 @​dependabot [#​4763]
• chore: bump sinon from 10.0.1 to 11.1.2 @​dependabot [#​4747]
• chore: bump mocha from 8.4.0 to 9.1.1 @​dependabot [#​4765]
• chore: bump lint-staged from 10.5.4 to 11.0.0 @​dependabot [#​4697]
• Upgrade to GitHub-native Dependabot @​dependabot-preview [#​4689]
• chore(deps-dev): bump sinon from 9.2.4 to 10.0.0 @​dependabot-preview [#​4670]
• chore(deps-dev): bump hexo-renderer-marked from 3.3.0 to 4.0.0 @​dependabot-preview [#​4649]

New Contributors

• @​CroMarmot made their first contribution in https://github.com/hexojs/hexo/pull/4662
• @​darekkay made their first contribution in https://github.com/hexojs/hexo/pull/4563
• @​dependabot made their first contribution in https://github.com/hexojs/hexo/pull/4697
• @​chenrui333 made their first contribution in https://github.com/hexojs/hexo/pull/4724

Full Changelog: hexojs/hexo@5.4.0...6.0.0

v5.4.2

Compare Source

Fixes

• fix(#​4917): downgrade js-yaml from v4.x to v3.14.x by @​yoshinorin in https://github.com/hexojs/hexo/pull/4932

Full Changelog: hexojs/hexo@5.4.1...5.4.2

v5.4.1

Compare Source

Fixes

• Fix js-yaml tags for v4.0.0+ (#​4869) by @​marcofranssen in https://github.com/hexojs/hexo/pull/4876

Full Changelog: hexojs/hexo@5.4.0...5.4.1

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.