Dockery/Trilium
1
0
Fork 0
mirror of https://github.com/zadam/trilium.git synced 2026-04-11 22:47:46 +02:00
Code Issues Packages Projects Releases Activity

feat(script): mark cheerio as deprecated and provide alternative

Browse Source
This commit is contained in:
Elian Doran
2026-04-10 10:22:15 +03:00
parent fe710823c1
commit d009582252
7 changed files with 84 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/User Guide/User Guide/Scripting/Breaking changes/v0.103.0 Removal of axios.md vendored
View File

@@ -1,10 +1,12 @@
# v0.103.0: Removal of axios
The `api.axios` library has been removed from the backend scripting API.
Axios was marked as deprecated at least since April 2024 in favor of the native `fetch()` API, which is available in both browser and Node.js environments. After two years of deprecation, the library was removed following the [March 2026 npm supply chain compromise](https://www.malwarebytes.com/blog/news/2026/03/axios-supply-chain-attack-chops-away-at-npm-trust), where attackers published malicious versions that deployed a remote access trojan. The Trilium's main developer almost got compromised, but `pnpm` not trusting unknown post-install scripts successfully avoided that.
Scripts that attempt to use `api.axios` will now throw an error with migration instructions.
## Reasoning
Axios was marked as deprecated at least since April 2024 in favor of the native `fetch()` API, which is available in both browser and Node.js environments. After two years of deprecation, the library was removed following the [March 2026 npm supply chain compromise](https://www.malwarebytes.com/blog/news/2026/03/axios-supply-chain-attack-chops-away-at-npm-trust), where attackers published malicious versions that deployed a remote access trojan. The Trilium's main developer almost got compromised, but `pnpm` not trusting unknown post-install scripts successfully avoided that.
## Migration
Replace `api.axios` calls with the native `fetch()` API.

24
docs/User Guide/User Guide/Scripting/Breaking changes/v0.103.0 `cheerio` is now depr.md vendored Normal file
View File

@@ -0,0 +1,24 @@
# v0.103.0: `cheerio` is now deprecated
The `api.cheerio` library is deprecated and will be removed in a future version.
## Reasoning
Cheerio is only used for the scripting API while the server internally uses `node-html-parser` for HTML parsing. Removing `cheerio` reduces bundle size and maintenance overhead.
## Migration
Before (`cheerio`):
```javascript
const $ = api.cheerio.load(html);
const title = $('h1').text();
const links = $('a').map((i, el) => $(el).attr('href')).get();
```
After (`htmlParser`):
```javascript
const root = api.htmlParser.parse(html);
const title = root.querySelector('h1')?.textContent;
const links = root.querySelectorAll('a').map(a => a.getAttribute('href'));
```