Error when generating static files with Hexo 5.4.0

[wenheqi]

I was trying to use minos theme to generate a site with support for both English and Simplified Chinese.

Issue Description

An error occurred when generating the static files with Hexo 5.4.0.

wenheqi@Wenhes-MacBook-Pro blog % hexo generate
INFO  Validating config
INFO  =======================================
███╗   ███╗ ██╗ ███╗   ██╗  ██████╗  ███████╗
████╗ ████║ ██║ ████╗  ██║ ██╔═══██╗ ██╔════╝
██╔████╔██║ ██║ ██╔██╗ ██║ ██║   ██║ ███████╗
██║╚██╔╝██║ ██║ ██║╚██╗██║ ██║   ██║ ╚════██║
██║ ╚═╝ ██║ ██║ ██║ ╚████║ ╚██████╔╝ ███████║
╚═╝     ╚═╝ ╚═╝ ╚═╝  ╚═══╝  ╚═════╝  ╚══════╝
=============================================
INFO  Checking dependencies
INFO  Checking if the configuration file exists
INFO  Checking language names against RFC5646 specs
INFO  Start processing
INFO  Files loaded in 88 ms
ERROR Error: /Users/wenheqi/Documents/blog/themes/minos/layout/post.ejs:3
    1| <section class="section">
    2|     <div class="container">
 >> 3|     <%- partial('common/article', { post: page, index: false }) %>
    4|     </div>
    5| </section>

/Users/wenheqi/Documents/blog/themes/minos/layout/common/article.ejs:11
    9|     <div class="article-meta columns is-variable is-1 is-multiline is-mobile is-size-7-mobile">
    10|         <span class="column is-narrow">
 >> 11|             <% if (has_config('article.date_format') && get_config('article.date_format') === 'relative' ) { %>
    12|                 <time datetime="<%= date_xml(post.date) %>" itemprop="datePublished"><%= format_date_full(post.date) %></time>
    13|             <% } else if (has_config('article.date_format') && get_config('article.date_format') === 'full' ) { %>
    14|                 <span><%= format_date_full(post.date) %></span>

Function yaml.safeLoad is removed in js-yaml 4. Use yaml.load instead, which is now safe by default.
    at Object.safeLoad (/Users/wenheqi/Documents/blog/node_modules/js-yaml/index.js:10:11)
    at getThemeConfig (/Users/wenheqi/Documents/blog/themes/minos/scripts/99_config.js:33:37)
    at Object.<anonymous> (/Users/wenheqi/Documents/blog/themes/minos/scripts/99_config.js:49:9)
    at eval (/Users/wenheqi/Documents/blog/themes/minos/layout/common/article.ejs:29:12)
    at article (/Users/wenheqi/Documents/blog/node_modules/ejs/lib/ejs.js:682:17)
    at _View._compiledSync (/Users/wenheqi/Documents/blog/node_modules/hexo/lib/theme/view.js:132:24)
    at _View.renderSync (/Users/wenheqi/Documents/blog/node_modules/hexo/lib/theme/view.js:59:25)
    at Object.partial (/Users/wenheqi/Documents/blog/node_modules/hexo/lib/plugins/helper/partial.js:34:15)
    at eval (/Users/wenheqi/Documents/blog/themes/minos/layout/post.ejs:12:17)
    at post (/Users/wenheqi/Documents/blog/node_modules/ejs/lib/ejs.js:682:17)
    at _View._compiled (/Users/wenheqi/Documents/blog/node_modules/hexo/lib/theme/view.js:136:50)
    at _View.render (/Users/wenheqi/Documents/blog/node_modules/hexo/lib/theme/view.js:39:17)
    at /Users/wenheqi/Documents/blog/node_modules/hexo/lib/hexo/index.js:64:21
    at tryCatcher (/Users/wenheqi/Documents/blog/node_modules/bluebird/js/release/util.js:16:23)
    at /Users/wenheqi/Documents/blog/node_modules/bluebird/js/release/method.js:15:34
    at RouteStream._read (/Users/wenheqi/Documents/blog/node_modules/hexo/lib/hexo/router.js:47:5)
    at RouteStream.Readable.read (internal/streams/readable.js:481:10)
    at resume_ (internal/streams/readable.js:968:12)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  path: '/Users/wenheqi/Documents/blog/themes/minos/layout/post.ejs'
}

How to Reproduce

1. create both _config.yml and _config.zh-cn.yml under themes/minos
2. modify the _config.yml accordingly under Hexo root folder
3. create a dummy post in English with command hexo new "Hello World" --lang en
4. create a dummy post in Simplified Chinese with command hexo new "Hello World" -- lang zh-cn
5. generate the static files hexo generate

Root Cause

As the error log indicates, yaml.safeLoad is remove in js-yaml 4.

This issue currently should only happen on Hexo 5.4.0 since it switched to js-yaml 4.0.0. Before that, js-yaml version in the dependency was 3.x.x.

How to Fix

As js-yaml suggests, yaml.load from 4.0.0 is safe by default. I'd suggest to switch to use yaml.load.

I tested on my local machine, after switch to yaml.load function, hexo generate can generate static files successfully with minos theme and no error occurred.

@ppoffice I'll create a PR shortly to integrate the fix as suggested by js-yaml. Would you please help to review and see if it works for you? Thanks.

[ppoffice]

Sounds good to me. Look forward to your PR.

[wenheqi]

124

[ppoffice]

by the way, does this change have any impact on hexo 5.3.x and before?

[wenheqi]

I just checked the homepage of js-yaml. Here is what I got:

js-yaml 3.x.x

Both safeLoad and load will parse string as single YAML document. Under the load function, the author of js-yaml says

Use with care with untrusted sources. The same as safeLoad() but uses DEFAULT_FULL_SCHEMA by default - adds some JavaScript-specific types: !!js/function, !!js/regexp and !!js/undefined. For untrusted sources, you must additionally validate object structure to avoid injections

js-yaml 4.x.x

safeLoad is removeda as load is safe by default.

Speaking of trusted sources, if my understanding is correct, minos uses yaml.safeLoad only to parse the _config.lang.yml under minos folder and those .yml files are supplied by the blog developer (minos provided an example _config.yml file to make it easier to start).

I can also help to test some basics like generating static files and serve the files on a server on Hexo 5.3.x and some early versions like 3.6.0 to see if it works with yaml.load and let you know the results on my side. Btw, do we currently have any automated test scripts available? I checked the package.json file in minos root folder but no luck.