Thanks, GitHub!
GitHub is full of wonders. I just started to play around with some Hexo themes and plugins for my new blog. Then when I pushed some changes to the GitHub Pages repo, I receive an ominous mail.
Usually, the mails that I receive on GitHub contain notifications about Pull Requests or Issues that I follow. But this time, things are different.
Well, as it turns out, hexo depends on the no longer maintained swig template engine, which itself depends on an outdated and vulnerable version of uglifyjs.
Nice of GitHub to tell me. I would never have guessed that GitHub scans all source code in GitHub Pages-repositories for possible vulnerabilities. I guess it’s more or less in their own interest as well as in mine.