New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency reveal.js to v4 [security] #78

Open

renovate wants to merge 1 commit into master from renovate/npm-reveal.js-vulnerability

renovate bot commented Mar 7, 2022 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
reveal.js (source)	`^3.5.0` -> `^4.0.0`

GitHub Vulnerability Alerts

CVE-2020-8127

Insufficient validation in cross-origin communication (postMessage) in reveal.js version 3.9.1 and earlier allow attackers to perform cross-site scripting attacks.

CVE-2022-0776

The onmessage event listener in /plugin/notes/speaker-view.html does not check the origin of postMessage before adding the content to the webpage. The vulnerable code allows any origin to postMessage on the browser window and feeds attacker's input to parts using which attacker can execute arbitrary javascript code on victim's browser window hosting reveal.js

Release Notes

hakimel/reveal.js

`v4.3.0`

tldr — self-destruction and bug fixes 💣

Changes

It's now possible to destroy/uninitialize a reveal.js presentation. This will remove all event listeners and roll back all changes made to the DOM. It will also unregister all plugins and destroy them if they expose a destroy method. (#1145 / @hakimel)
```
Reveal.destroy();
```
You can now provide an absolute URL to the presentation that should be loaded in the speaker view. This is useful if you have a presentation integrated as part of a web page but still want the speaker view to work.
```
Reveal.initialize({ url: 'https://example.com/my-reveal-presentation' })
```
Source maps are now included in dist (#3082 / @dabrahams)

Fixes

Fix the speaker view no longer goes out of sync with your presentation after live-reloading (#2822 / @hakimel).
Fix XSS vulnerability in speaker view (#3137 / @r0hanSH)
Fix issues with scaling embedded presentations when entering fullscreen mode in Safari (#3080 / @Martinomagnifico)

`v4.2.1`

Bug fix release 🐛

Fixes

Fix an issue where some slides disappeared (fully or partially) after slide transitions in Chrome (9e583b8 @hakimel)
Fix an issue that caused double-navigations and impacted presentation performance (@hakimel #3079)
Fix --host not working in npm start -- --host=0.0.0.0 (@cashcat #3075)
Fix incorrect sizing of auto-sized text in PDF exports (https://github.com/hakimel/reveal.js/issues/2865#issuecomment-970258829 @hakimel)
Fix background video playback issue in some browsers by inferring MIME type from file extension (#3078 @vanch3d)

`v4.2.0`

Changes

The math plugin now supports three typesetting libraries: KaTeX, MathJax 2 and MathJax 3. We continue to use MathJax 2 as our default so this is fully backwards compatible. Learn how to choose between typesetters and how to configure them in the docs at https://revealjs.com/math#typesetting-libraries (@burgerga in #2559).

New event: beforeslidechange (#3003). This makes it possible to conditionally prevent navigations:

// This prevents all slide changes
Reveal.addEventListener( 'beforeslidechange', e => e.preventDefault() );

New keyboard shortcut for skipping fragments while navigating: alt + ←/↑/→/↓.
New API option for skipping fragments in directional navigation Reveal.right({ skipFragments: true }).

Adds a beforeHighlight callback to the highlight plugin (@rajgoel in #3026).

Reveal.initialize({ 
  highlight: {
    beforeHighlight: (hljs) => {
      // interact with highlight.js, for example to register a new language
    }
  } 
})

Code line numbers can now start from an offset (#3050). For example, this code block would begin its line numbering from 10: <code data-ln-start-from="10">.
Better error messaging when the .reveal or .slides containers are missing #2217.

Fixes

The last slide keyboard shortcut now works for looped presentations (#3007).
Markdown code blocks can be turned into fragments (@nicojs in #2982).
Unit tests can now run in Windows (@Vandivier in #3027).
Restored support for base64 background images, broken since 4.1.1 (#2978).
Fixes an issue that prevented presentations from looping when navigationMode was set to linear.
Internal links leading to a slide with video/audio element will now correctly start media playback. This issue only affected mobile browsers.

`v4.1.3`

`v4.1.2`

Changes

Adds support for data-auto-animate-restart and data-auto-animate-id. These properties give you finer control over which slides that should auto-animate between each other (@coffeenotfound in #2896).
Theme properties are now available as CSS variables, making them easy to override. Full list of variables (#2740 + #2968).
Here's an example you can drop into your presentation's HTML:

<style type="text/css">
:root {
  --r-background-color: indigo;
  --r-main-color: #f5f5f5;
  --r-main-font: monospace;
}
</style>

Fixes

Markdown enabled speaker notes (<aside class="notes" data-markdown>) are no longer visible on-slide.

`v4.1.1`

Mostly bug fixes and enhancements 🐛

Changes

Adds support for Node.js 16.
data-background-image now accepts multiple images (#2940).
New Markdown config option animateLists — automatically turns all lists into stepped fragments (#2956).
Reduce the tab size in code blocks from 8 to 2.
More accurate calculation of which slide to jump to when clicking on the progress bar (#2836).
Optimize DOM interactions and reduce forced layouts when exporting to PDF (#2843).

Fixes

Video/audio inside of a fragment now stop playing when the fragment is hidden.
Markdown is now split into individual slides by the default separator (---) as advertised.
The r-fit-text layout helper now sizes text correctly in PDF exports.
Fixes an issue where some slide-specific transitions were incorrectly overridden by the global transition setting.
The has-dark-background helper class now works when using named colors for data-background-color (#2933).

`v4.1.0`

Changes

New: Add data-visibility="hidden" to a slide to hide it from view. Docs & examples
New: Add the r-fit-text class to make a text node grow to be as large as possible without overflowing the slide. Docs & examples
The configured slide width/height is now exposed as CSS variables (--slide-width/--slide-height).
The shuffle config option now shuffles vertical slides as well.
All themes now invert the text color based on the current slide background color.
Include /css and /js in npm package.

Fixes

Don't append #/ to the URL on first slide.
Don't fill the progress bar when there's only one slide in a deck
Correct slide count when using data-visibility="uncounted" (#2675)

`v4.0.2`

Changes

Enables caching for JavaScript builds, making subsequent builds ~50% faster.
In auto-sliding presentations, the data-autoslide attribute now takes precedence over automatic detection of <video> durations.
Remove overzealous reset styles when printing to PDF.
Reveal.configure and Reveal.isReady are now available in the pre-initialized reveal.js API, to match v3.x behavior.
Switches to serving demo presentation assets from a CDN.

Bug fixes

Fixes polyfills and adds IE 11 support.
Fixes the progress bar direction in right-to-left mode.

`v4.0.1`

Bug fixes

Fixed issues when printing speaker notes to PDF (#2671 by @s-l-lee)
Fixed incorrect auto-animations when there are multiple auto-animated presentations on the same page

`v4.0.0`

Breaking Changes 🚨

This release includes a small number of breaking changes. Please read the Upgrade Instructions if you want to migrate an existing presentation.

Highlights

New website, docs and logo! https://revealjs.com/ 🚀
Auto-Animate lets you create complex animations by automatically transitioning between matched elements across slides. Duration, delay and easing can be set on a per-slide or per-element basis.
We now support multiple presentations on the same page.
- This also introduces a new embedded config option, which allows presentations to reside within a portion of a page. Previously reveal.js always covered 100% of the page width and height.
- The new keyboardCondition: 'focused' config option lets presentations capture keyboard events only when they're focused by the viewer.
The reveal.js core and built-in plugins have been rewritten as ES modules. This makes the project easier to maintain and makes reveal.js itself easier to include in a bundle. Two bundles are provided:
- dist/reveal.js uses UMD and has broad cross browser support (ES5).
- dist/reveal.esm.js is an ES module. More info
Code highlights are now automatically scrolled into view and it looks soooo good. You've got to try it out.

Changes

The Reveal.initialize method now returns a promise that resolves once reveal.js is ready and all plugins have finished initializing.
Switches build systems from to gulp, using rollup for bundling.
Moves all compiled CSS (reveal.css, reset.css and themes) from css/ to dist/. See Upgrade Instructions.
Moves all print CSS into reveal.js. The old script-based print styles can be removed. by @quilicicf
Adds a new slidetransitionend event.
Adds a new r-stack layout helper for placing elements on top of each other.
Adds support for data-visibility="uncounted" to exclude slides from the progress bar and slide number count. #2543 by @lassepe
Adds Reveal.getComputedSlideSize API method.
Renames the Reveal.addEventListener and Reveal.removeEventListener API methods to Reveal.on and Reveal.off. Old names are aliased for backwards compatibility.
Removes the default border style from <img>s. Can be added with the r-frame class.
Removes bower.json.

Plugins

New syntax for registering plugins.
All built-in plugins—such as markdown and highlight—are now available as ES modules. More info
Notes: No longer depends on resolving an external notes.html file to work. Everything is baked into the plugin JS.
Highlight: Upgraded to highlight.js 10.0.1.
Highlight: Moved highlight themes from lib/css/monokai.css to plugin/highlight/monokai.css.
Highlight: 'highlight.js' library is now installed from npm instead of being saved in the repo.
Markdown: Support for line numbers and highlights in syntax highlighted code.
Markdown: Support for boolean data- attributes. by @Bagira80
Markdown: 'marked' library is now installed from npm instead of being saved in the repo.
Multiplex: Moved out to https://github.com/reveal/multiplex
Notes Server: Moved out to https://github.com/reveal/notes-server

Bug fixes

Fixes a bug that prevented links from working in exported PDFs. #2628 by @telliott22
Fixes a bug where navigationMode: 'linear' incorrectly hid valid vertical directions. #2582 by @earboxer
Fixes an issue that caused reveal.js to incorrectly block keyboard events when an element with contentedtable=false was focused. #2650

`v3.9.2`

Fixes a security vulnerability in the postMessage API. The follow methods are now blacklisted and can not be called via the postMessage API: registerPlugin, registerKeyboardShortcut, addKeyBinding, addEventListener.

`v3.9.1`

This version contains no changes. It was only released to bump the published version on npm.

3.9.0 was published to npm with local edits 🤦‍♂️

`v3.9.0`

Changes:

Adds step-by-step code highlights! Step through multiple line highlights on the same code block.
Adds postMessage callbacks. Makes it possible to use the postMessage API to invoke reveal.js methods with return values.
The pacing timer functionality now accepts a total time for the whole presentation. Timing was previously worked out on a per-slide level. (#2400 by longtime reveal.js contributor @fghaas!)
Background iframes no longer preload by default. They load when you arrive at the given slide. This unifies the behavior of in-slide and background iframes. Learn how to turn on preloading.
The slide number format specified through slideNumber is now honored in PDF exports. (#2337 by @dougalsutherland)
(4c557a5)
Adds data-fragment=<index> to any slide
with fragments in it. This lets you target specific fragment states with CSS like section[data-fragment="2"] { ... }.
Adds Reveal.getHorizontalSlides() and Reveal. getVerticalSlides() for getting all horizontal/vertical slides in a deck.
Adds Reveal.hasHorizontalSlides() and Reveal. hasVerticalSlides() for checking whether or not a deck contains any horizontal or vertical slides.
Adds mobileViewDistance configuration option. Mobile view distance was previously hardcoded at 2. (#2513 by @TuurDutoit)
Adds allow="autoplay" to iframes to comply with Chrome's Autoplay Policy Changes (#2437 by @TehDmitry)
Switches to CSS transforms to scale decks up on HDPI displays. Previous use of CSS zoom produced sharper results but led to side effects such as iframes not scaling with the deck content.
Switches first/last slide keyboard shortcuts from ⌘←/⌘→ to Shift←/Shift→. The old shortcut conflicted with browser back/forward.
Updates highlight.js from 9.11.0 to 9.18.0

Bug fixes:

Fixes an issue where the navigation down-arrow was blocked by the progress bar (#2410 by @NoriSte).
Fixes swipe navigation for decks with navigationMode set to linear (#2416 by @earboxer).
Fixes vertical overflow in iPadOS Safari.
Fixes inconsistent fragment slide animations by translating by a fixed unit.
Fixes failing npm install because of outdated dependencies.
Fixes exception when highlighting empty code blocks.

`v3.8.0`

Changes:

The cursor is now automatically hidden after five seconds of inactivity. The timeout can be adjusted with hideCursorTime: <milliseconds>, or you can disable the feature entirely with hideInactiveCursor: false.
Presentations can be zoomed on touch devices using the standard pinch-to-zoom gestures.
New navigationMode: <default/linear/grid> config option. Set to "grid" to navigate across adjacent vertical stacks. Learn more in the docs. (#2307)
New hash: <boolean> config option. When set to true, reveal.js will reflect the current slide in the address bar without pushing each slide change to the browser history. (#2286 by @asottile)
New preloadIframes config option for flagging if iframes should be preloaded or not. Can be set per-frame using the data-preload attribute. More info. (#2354 by @maxrothman)
A resize event is now dispatched anytime the presentation scale changes. (#2300 by @mw75)
The "Resume" button in the pause overlay is hidden if controls are set to false. (#2215 by @anderslemke)
New keyboard shortcut: CMD/CTRL + left or right arrow to go to first or last slide.
Adds Reveal.getRevealElement() for retrieving the presentation's root element (<div class="reveal">).
Removes Head JS as it is no longer required to load dependencies.
Removes classList polyfill since browser support caught up.
Removes the reset styles from reveal.css to make styles easier to override. Reset styles are now included as a separate reset.css file. (6abc6e0 #1952 & #2248)
The zoom transition now zooms between all slides, previously it zoomed between horizontal slides and used a slide transition between vertical.
Upgrade to Socket.IO 2.2.0.

Plugin Changes:

Adds a new API for registering plugins Reveal.registerPlugin( 'myPlugin', MyPluginInstance ). If a registered plugin returns a promise when initialized, reveal.js will wait for that promise to be fulfilled before firing the ready event. Learn more in the docs.
Code highlighting: Support for line numbers! Just add data-line-numbers to your code blocks.
Code highlighting: Highlight specific lines by providing a comma separated list of line numbers to data-line-numbers. Line ranges, like 5-15, are supported too.
Speaker view: No longer requires a web server, it now works when opened directly from the filesystem. (#2104 by @jurca)
Markdown: External .md files are now loaded asynchronously.
Markdown: Upgrade to marked 0.6.0. (@sestegra)
MathJax config options can now be set via the reveal.js math config option. (#2090 by @bnjmnt4n)

Bug fixes:

Fixes npm security warnings by updating all dependencies.
Fixes an issue that prevented the same internal link from being clicked twice. (#2350 by @rparree)
Fixes an issue with data-transition not working on vertical slides. (b6ce0a9 #1947)
Fixes an issue that needless caused the slide method—and all of its corresponding performance heavy DOM operations—to be invoked twice for each slide change. (#2263 by @mbotsch)
Fixes a layout bug with overlaid speaker notes when reveal.js is smaller than the browser window.
Fixes an error that caused Reveal.getProgress() to return a value higher than 1 when there were fragments on the last slide.
The speaker view no longer stops working when opened multiple times. (#2251 by @oyron)
Prevents presentations from overflowing vertically in some mobile browsers.
Elements using .stretch now show up in the overview mode. (@sanand0)

`v3.7.0`

Changes:

Key Binding API (#1885 by @ denehyg)
Adds pdfSeparateFragments option for exporting fragments on separate PDF pages (@koehlma)
Adds fragmentInURL option for including fragments in the URL (@dougalsutherland)
Adds hashOneBasedIndex option for switching slide URLs from 0 to 1-based index (@sean-parent)
Adds data-background-opacity attribute for fading out background media
Adds a "Resume presentation" button to the pause overlay
Adds two new fragment styles
- semi-fade-out: starts fully visible and fades out to 50% opacity
- fade-in-then-semi-out: fades in like a normal fragment and remains visible but faded out when you move to the next fragment
New API method Reveal.syncSlide: same use as Reveal.sync but more efficient when you've only made changes to one specific slide
New API method Reveal.syncFragments: same use as Reveal.sync but more efficient when you've only made changes to fragments on one specific slide
Removes arbitrary restrictions on slide IDs, all IDs are now valid
The slide number is now an anchor pointing to the current hash, making it possible to copy the current slide URL even when history is disabled (#2133 by @sean-parent)
Whitespace is now allowed in background image names (@RobertBaron)

Bug fixes:

The left/right navigation arrows no longer appear when there are no horizontal slides
Navigating to the same slide twice in a row no longer drops its "present" class
The loop option now works correctly in presentations with only vertical slides
More graceful error handling of duplicate slide IDs
Interactive iframe backgrounds now work in vertical slides

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.


          chore(deps): update dependency reveal.js to v4 [security]

71c1a1d

Author

renovate bot commented Mar 24, 2023 •

edited

Loading

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet