Update dependency gh-pages to v5 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
gh-pages	^3.2.0 → ^5.0.0

---

tschaub gh-pages vulnerable to prototype pollution

CVE-2022-37611 / GHSA-8mmm-9v2q-x3f9

More information

Details

Prototype pollution vulnerability in tschaub gh-pages via the partial variable in util.js.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-37611
• https://github.com/tschaub/gh-pages/issues/446
• https://github.com/tschaub/gh-pages/blob/e363b144defe8e555f5a54251a6f7f1297c0e3f6/lib/util.js#L11
• https://github.com/tschaub/gh-pages/blob/e363b144defe8e555f5a54251a6f7f1297c0e3f6/lib/util.js#L16
• https://github.com/tschaub/gh-pages/pull/452
• https://github.com/advisories/GHSA-8mmm-9v2q-x3f9

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

tschaub/gh-pages (gh-pages)

v5.0.0

Compare Source

Potentially breaking change: the publish method now always returns a promise. Previously, it did not return a promise in some error cases. This should not impact most users.

Updates to the development dependencies required a minimum Node version of 14 for the tests. The library should still work on Node 12, but tests are no longer run in CI for version 12. A future major version of the library may drop support for version 12 altogether.

• #​438 - Remove quotation marks (@​Vicropht)
• #​459 - Bump async from 2.6.4 to 3.2.4 (@​tschaub)
• #​454 - Bump email-addresses from 3.0.1 to 5.0.0 (@​tschaub)
• #​455 - Bump actions/setup-node from 1 to 3 (@​tschaub)
• #​453 - Bump actions/checkout from 2 to 3 (@​tschaub)
• #​445 - Update README to clarify project site configuration requirements with tools like CRA, webpack, Vite, etc. (@​Nezteb)
• #​452 - Assorted updates (@​tschaub)

v4.0.0

Compare Source

This release doesn't include any breaking changes, but due to updated development dependencies, tests are no longer run on Node 10.

• #​432 - Updated dev dependencies and formatting (@​tschaub)
• #​430 - Bump ansi-regex from 3.0.0 to 3.0.1 (@​tschaub)
• #​431 - Bump path-parse from 1.0.6 to 1.0.7 (@​tschaub)
• #​427 - Bump async from 2.6.1 to 2.6.4 (@​tschaub)
• #​423 - Bump minimist from 1.2.5 to 1.2.6 (@​tschaub)

v3.2.3

Compare Source

• #​398 - Update glob-parent (@​tschaub)
• #​395 - Switch from filenamify-url to filenamify (@​tw0517tw)

v3.2.2

Compare Source

• #​396 - Revert "security(deps): bump filenamify-url to 2.1.1" (@​tschaub)

v3.2.1

Compare Source

• #​393 - security(deps): bump filenamify-url to 2.1.1 (@​AviVahl)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.