Update dependency gh-pages to v5 [SECURITY]

[renovate]

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package	Change	Age	Confidence
gh-pages	^1.0.0 -> ^5.0.0

GitHub Vulnerability Alerts

CVE-2022-37611

Prototype pollution vulnerability in tschaub gh-pages via the partial variable in util.js.

---

Release Notes

tschaub/gh-pages (gh-pages)

v5.0.0

Compare Source

Potentially breaking change: the publish method now always returns a promise. Previously, it did not return a promise in some error cases. This should not impact most users.

Updates to the development dependencies required a minimum Node version of 14 for the tests. The library should still work on Node 12, but tests are no longer run in CI for version 12. A future major version of the library may drop support for version 12 altogether.

• #​438 - Remove quotation marks (@​Vicropht)
• #​459 - Bump async from 2.6.4 to 3.2.4 (@​tschaub)
• #​454 - Bump email-addresses from 3.0.1 to 5.0.0 (@​tschaub)
• #​455 - Bump actions/setup-node from 1 to 3 (@​tschaub)
• #​453 - Bump actions/checkout from 2 to 3 (@​tschaub)
• #​445 - Update README to clarify project site configuration requirements with tools like CRA, webpack, Vite, etc. (@​Nezteb)
• #​452 - Assorted updates (@​tschaub)

v4.0.0

Compare Source

This release doesn't include any breaking changes, but due to updated development dependencies, tests are no longer run on Node 10.

• #​432 - Updated dev dependencies and formatting (@​tschaub)
• #​430 - Bump ansi-regex from 3.0.0 to 3.0.1 (@​tschaub)
• #​431 - Bump path-parse from 1.0.6 to 1.0.7 (@​tschaub)
• #​427 - Bump async from 2.6.1 to 2.6.4 (@​tschaub)
• #​423 - Bump minimist from 1.2.5 to 1.2.6 (@​tschaub)

v3.2.3

Compare Source

• #​398 - Update glob-parent (@​tschaub)
• #​395 - Switch from filenamify-url to filenamify (@​tw0517tw)

v3.2.2

Compare Source

• #​396 - Revert "security(deps): bump filenamify-url to 2.1.1" (@​tschaub)

v3.2.1

Compare Source

• #​393 - security(deps): bump filenamify-url to 2.1.1 (@​AviVahl)

v3.2.0

Compare Source

This release updates a few development dependencies and adds a bit of documentation.

• #​391 - Update dev dependencies (@​tschaub)
• #​375 - Add note about domain problem (@​demee)
• #​390 - Fix little typo in the README (@​cizordj)
• #​388 - Bump hosted-git-info from 2.8.8 to 2.8.9 (@​tschaub)
• #​387 - Bump y18n from 4.0.0 to 4.0.3 (@​tschaub)
• #​378 - Add GitHub Actions tips to readme.md (@​mickelsonmichael)
• #​386 - Bump lodash from 4.17.14 to 4.17.21 (@​tschaub)

v3.1.0

Compare Source

The cache directory used by gh-pages is now node_modules/.cache/gh-pages. If you want to use a different location, set the CACHE_DIR environment variable.

• #​362 - Move the cache directory (@​tschaub)
• #​361 - Update dev dependencies (@​tschaub)

v3.0.0

Compare Source

Breaking changes:

None really. But tests are no longer run on Node < 10. Development dependencies were updated to address security warnings, and this meant tests could no longer be run on Node 6 or 8. If you still use these Node versions, you may still be able to use this library, but be warned that tests are no longer run on these versions.

All changes:

• #​357 - Dev dependency updates (@​tschaub)
• #​333 - Update readme with command line options (@​Victoire44)
• #​356 - Test as a GitHub action (@​tschaub)
• #​355 - feat(beforeAdd): allow custom script before git add (@​Xiphe)
• #​336 - Fix remove not working properly (@​sunghwan2789)
• #​328 - Update .travis.yml (@​XhmikosR)
• #​327 - Fix typo (@​d-tsuji)

v2.2.0

Compare Source

• #​318 - Allow an absolute path as dist directory (@​okuryu)
• #​319 - Added 'remove' documentation to the readme (@​Sag-Dev)
• #​323 - Update dependencies (@​tschaub)
• #​277 - Add --no-history flag not to preserve deploy history (@​dplusic)

v2.1.1

Compare Source

• #​312 - Add default for '--git' option (@​tschaub)

v2.1.0

Compare Source

• #​307 - Dev dependency updates (@​tschaub)
• #​303 - Support '--git' CLI option (@​JRJurman)

v2.0.1

Compare Source

• #​268 - Continue even if no git configured user.

v2.0.0

Compare Source

Breaking changes:

• Requires Node 6 and above. If you require support for Node 4, stick with v1.2.0.

• The git user for commits is determined by running git config user.name and git config user.email in the current working directory when gh-pages is run. Ideally, this is what you want. In v1, the git user was determined based on the gh-pages install directory. If the package was installed globally, the git user might not have been what you expected when running in a directory with a locally configured git user.

• #​264 - Better user handling (thanks @​holloway for getting this going and @​nuklearfiziks and @​paulirish for pushing it over the edge)

• #​263 - Infra: newer syntax and upgrade deps to latest stable versions (@​AviVahl)

v1.2.0

Compare Source

• #​252 - Update dependencies (@​tschaub)
• #​245 - Typos (@​thekevinscott)
• #​251 - Update async to the latest version 🚀 (@​tschaub)
• #​243 - docs(readme.md): add tips (@​polyglotm)
• #​241 - Update sinon to the latest version 🚀 (@​tschaub)
• #​240 - Update eslint-config-tschaub to the latest version 🚀 (@​tschaub)
• #​239 - Assorted updates (@​tschaub)
• #​238 - fix(package): update commander to version 2.15.1 (@​tschaub)
• #​237 - chore(package): update mocha to version 5.0.5 (@​tschaub)
• #​232 - Update sinon to the latest version 🚀 (@​tschaub)

v1.1.0

Compare Source

• #​218 - Update dependencies, test on Node 8 (@​tschaub)
• #​211 - Update async to the latest version 🚀 (@​tschaub)
• #​202 - chore(package): update sinon to version 3.2.1 (@​tschaub)
• #​201 - chore(package): update chai to version 4.1.1 (@​tschaub)
• #​196 - fix(package): update fs-extra to version 4.0.1 (@​tschaub)
• #​199 - Update tmp to the latest version 🚀 (@​tschaub)
• #​193 - Return the promise in the publish function (@​Ambyjkl)
• #​188 - chore(package): update sinon to version 2.3.3 (@​tschaub)
• #​185 - fix(package): update commander to version 2.11.0 (@​tschaub)
• #​186 - chore(package): update eslint to version 4.1.1 (@​tschaub)
• #​187 - fix(package): update async to version 2.5.0 (@​tschaub)
• #​175 - Removed unnecessary path require (@​antialias)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 740d9ed

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[gitstream-cm]

🚨 gitStream Monthly Automation Limit Reached 🚨

Your organization has exceeded the number of pull requests allowed for automation with gitStream.
Monthly PRs automated: 250/250

To continue automating your PR workflows and unlock additional features, please contact LinearB.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Join our Discord community for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	filename-reserved-regex@​2.0.0
	p-try@​2.2.0
	path-exists@​4.0.0
	p-locate@​4.1.0
	locate-path@​5.0.0
	make-dir@​3.1.0
	email-addresses@​5.0.0
	find-up@​4.1.0
	filenamify@​4.3.0
	graceful-fs@​4.1.11 ⏵ 4.2.11	+1		+1
	find-cache-dir@​3.3.2
	pkg-dir@​4.2.0
	p-limit@​2.3.0
	gh-pages@​1.0.0 ⏵ 5.0.0		+75
	async@​2.1.4 ⏵ 3.2.6	+1	+16	+15
	commander@​2.9.0 ⏵ 2.20.3			+1
	jsonfile@​3.0.1 ⏵ 4.0.0
	fs-extra@​3.0.1 ⏵ 8.1.0	+1

View full report

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed everything up to 740d9ed in 1 minute and 16 seconds. Click for details.

• Reviewed 13 lines of code in 1 files
• Skipped 1 files when reviewing.
• Skipped posting 1 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

1. package.json:8

• Draft comment:
  Confirm that updating gh-pages to ^5.0.0 is intentional. Note that v5 introduces a breaking change: its publish function now always returns a promise, so if you use it programmatically, ensure your async handling is updated. Also, verify that your deployment environment meets the Node version requirements (v12+).
• Reason this comment was not posted:
  Decided after close inspection that this draft comment was likely wrong and/or not actionable: usefulness confidence = 0% vs. threshold = 50% This is a dependency version change. Our rules explicitly state "Do NOT comment on dependency changes" and "Do NOT ask the PR author to confirm their intention". The comment starts with "Confirm that..." which is exactly what we're told to avoid. The breaking change mentioned only affects programmatic usage, but the package.json shows it's only used via CLI. Maybe the breaking changes in gh-pages v5 could cause deployment failures that would be hard to debug later? The rules are very clear about not commenting on dependency changes, regardless of potential impact. Plus, the breaking change mentioned doesn't affect CLI usage, which is how gh-pages is used here. Delete this comment as it violates multiple rules: it's about dependency changes and asks for confirmation of intent.

Workflow ID: wflow_KIoqfRntQ4Utrv2E

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}