Dockery/Trilium
1
0
Fork 0
mirror of https://github.com/zadam/trilium.git synced 2026-05-06 19:06:35 +02:00
Code Issues Packages Projects Releases Activity

feat(script): mark cheerio as deprecated and provide alternative

Browse Source
This commit is contained in:
Elian Doran
2026-04-10 10:22:15 +03:00
parent fe710823c1
commit d009582252
7 changed files with 84 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
apps/server/src/assets/doc_notes/en/User Guide/!!!meta.json generated vendored
View File

File diff suppressed because one or more lines are too long

5
apps/server/src/assets/doc_notes/en/User Guide/User Guide/Scripting/Breaking changes/v0.103.0 Removal of axios.html generated vendored
View File

@@ -1,5 +1,8 @@
<p>The <code spellcheck="false">api.axios</code> library has been removed from
the backend scripting API.</p>
<p>Scripts that attempt to use <code spellcheck="false">api.axios</code> will
now throw an error with migration instructions.</p>
<h2>Reasoning</h2>
<p>Axios was marked as deprecated at least since April 2024 in favor of the
native <code spellcheck="false">fetch()</code> API, which is available in
both browser and Node.js environments. After two years of deprecation,
@@ -7,8 +10,6 @@
where attackers published malicious versions that deployed a remote access
trojan. The Trilium's main developer almost got compromised, but <code spellcheck="false">pnpm</code> not
trusting unknown post-install scripts successfully avoided that.</p>
<p>Scripts that attempt to use <code spellcheck="false">api.axios</code> will
now throw an error with migration instructions.</p>
<h2>Migration</h2>
<p>Replace <code spellcheck="false">api.axios</code> calls with the native
<code

14
apps/server/src/assets/doc_notes/en/User Guide/User Guide/Scripting/Breaking changes/v0.103.0 `cheerio` is now depr.html generated vendored Normal file
View File

@@ -0,0 +1,14 @@
<p>The <code spellcheck="false">api.cheerio</code> library is deprecated and
will be removed in a future version.</p>
<h2>Reasoning</h2>
<p>Cheerio is only used for the scripting API while the server internally
uses <code spellcheck="false">node-html-parser</code> for HTML parsing. Removing
<code
spellcheck="false">cheerio</code>reduces bundle size and maintenance overhead.</p>
<h2>Migration</h2>
<p>Before (<code spellcheck="false">cheerio</code>):</p><pre><code class="language-application-javascript-env-backend">const $ = api.cheerio.load(html);
const title = $('h1').text();
const links = $('a').map((i, el) =&gt; $(el).attr('href')).get();</code></pre>
<p>After (<code spellcheck="false">htmlParser</code>):</p><pre><code class="language-application-javascript-env-backend">const root = api.htmlParser.parse(html);
const title = root.querySelector('h1')?.textContent;
const links = root.querySelectorAll('a').map(a =&gt; a.getAttribute('href'));</code></pre>

10
apps/server/src/services/backend_script_api.ts
View File

@@ -2,6 +2,7 @@ import type { AttributeRow } from "@triliumnext/commons";
import { dayjs } from "@triliumnext/commons";
import { formatLogMessage } from "@triliumnext/commons";
import * as cheerio from "cheerio";
import * as htmlParser from "node-html-parser";
import xml2js from "xml2js";
import becca from "../becca/becca.js";
@@ -98,10 +99,16 @@ export interface Api {
/**
* cheerio library for HTML parsing and manipulation. See {@link https://cheerio.js.org} for documentation
* @deprecated cheerio will be removed in a future version. Use api.htmlParser (node-html-parser) instead.
*/
cheerio: typeof cheerio;
/**
* node-html-parser library for HTML parsing. See {@link https://github.com/piotr-nicol/node-html-parser} for documentation.
* This is the recommended replacement for cheerio.
*/
htmlParser: typeof htmlParser;
/**
* Instance name identifies particular Trilium instance. It can be useful for scripts
* if some action needs to happen on only one specific instance.
@@ -451,6 +458,7 @@ function BackendScriptApi(this: Api, currentNote: BNote, apiParams: ApiParams) {
this.dayjs = dayjs;
this.xml2js = xml2js;
this.cheerio = cheerio;
this.htmlParser = htmlParser;
this.getInstanceName = () => (config.General ? config.General.instanceName : null);
this.getNote = (noteId) => becca.getNote(noteId);
this.getBranch = (branchId) => becca.getBranch(branchId);

30
docs/User Guide/!!!meta.json vendored
View File

@@ -17831,6 +17831,34 @@
"dataFileName": "v0.103.0 Removal of axios.md",
"attachments": []
},
{
"isClone": false,
"noteId": "pAJ0jWz16xFm",
"notePath": [
"pOsGYCXsbNQG",
"CdNpE2pqjmI6",
"cNpC0ITcfX0N",
"pAJ0jWz16xFm"
],
"title": "v0.103.0: `cheerio` is now deprecated",
"notePosition": 20,
"prefix": null,
"isExpanded": false,
"type": "text",
"mime": "text/html",
"attributes": [
{
"type": "label",
"name": "shareAlias",
"value": "cheerio-deprecated",
"isInheritable": false,
"position": 30
}
],
"format": "markdown",
"dataFileName": "v0.103.0 `cheerio` is now depr.md",
"attachments": []
},
{
"isClone": false,
"noteId": "72dxvnbnkDFY",
@@ -17841,7 +17869,7 @@
"72dxvnbnkDFY"
],
"title": "v0.102.0: Upgrade to jQuery 4.0.0",
"notePosition": 20,
"notePosition": 30,
"prefix": null,
"isExpanded": false,
"type": "text",

6
docs/User Guide/User Guide/Scripting/Breaking changes/v0.103.0 Removal of axios.md vendored
View File

@@ -1,10 +1,12 @@
# v0.103.0: Removal of axios
The `api.axios` library has been removed from the backend scripting API.
Axios was marked as deprecated at least since April 2024 in favor of the native `fetch()` API, which is available in both browser and Node.js environments. After two years of deprecation, the library was removed following the [March 2026 npm supply chain compromise](https://www.malwarebytes.com/blog/news/2026/03/axios-supply-chain-attack-chops-away-at-npm-trust), where attackers published malicious versions that deployed a remote access trojan. The Trilium's main developer almost got compromised, but `pnpm` not trusting unknown post-install scripts successfully avoided that.
Scripts that attempt to use `api.axios` will now throw an error with migration instructions.
## Reasoning
Axios was marked as deprecated at least since April 2024 in favor of the native `fetch()` API, which is available in both browser and Node.js environments. After two years of deprecation, the library was removed following the [March 2026 npm supply chain compromise](https://www.malwarebytes.com/blog/news/2026/03/axios-supply-chain-attack-chops-away-at-npm-trust), where attackers published malicious versions that deployed a remote access trojan. The Trilium's main developer almost got compromised, but `pnpm` not trusting unknown post-install scripts successfully avoided that.
## Migration
Replace `api.axios` calls with the native `fetch()` API.

24
docs/User Guide/User Guide/Scripting/Breaking changes/v0.103.0 `cheerio` is now depr.md vendored Normal file
View File

@@ -0,0 +1,24 @@
# v0.103.0: `cheerio` is now deprecated
The `api.cheerio` library is deprecated and will be removed in a future version.
## Reasoning
Cheerio is only used for the scripting API while the server internally uses `node-html-parser` for HTML parsing. Removing `cheerio` reduces bundle size and maintenance overhead.
## Migration
Before (`cheerio`):
```javascript
const $ = api.cheerio.load(html);
const title = $('h1').text();
const links = $('a').map((i, el) => $(el).attr('href')).get();
```
After (`htmlParser`):
```javascript
const root = api.htmlParser.parse(html);
const title = root.querySelector('h1')?.textContent;
const links = root.querySelectorAll('a').map(a => a.getAttribute('href'));
```