Merge branch 'main' into main

Shopify · Dec 17, 2024 · 9f6dc21 · 9f6dc21
2 parents 6485b04 + 8f1443f
commit 9f6dc21
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 9 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,10 @@
 Unreleased
 ----------
 
+22.5.1 (December 11, 2024)
+----------
+- Fix Rails [CVE-2024-54133](https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a) [1929](https://github.com/Shopify/shopify_app/pull/1929)
+
 22.5.0 (November 28, 2024)
 ----------
 - Add support for filters in webhook registration [1923](https://github.com/Shopify/shopify_app/pull/1923)

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    shopify_app (22.5.0)
+    shopify_app (22.5.1)
       activeresource
       addressable (~> 2.7)
       jwt (>= 2.2.3)
@@ -107,7 +107,7 @@ GEM
     json (2.7.2)
     jwt (2.7.0)
     language_server-protocol (3.17.0.3)
-    loofah (2.22.0)
+    loofah (2.23.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
     mail (2.8.1)
@@ -132,11 +132,11 @@ GEM
     net-smtp (0.5.0)
       net-protocol
     nio4r (2.5.9)
-    nokogiri (1.16.7-arm64-darwin)
+    nokogiri (1.17.1-arm64-darwin)
       racc (~> 1.4)
-    nokogiri (1.16.7-x86_64-darwin)
+    nokogiri (1.17.1-x86_64-darwin)
       racc (~> 1.4)
-    nokogiri (1.16.7-x86_64-linux)
+    nokogiri (1.17.1-x86_64-linux)
       racc (~> 1.4)
     oj (3.14.3)
     openssl (3.1.0)
@@ -181,9 +181,9 @@ GEM
       activesupport (>= 5.0.0)
       minitest
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.6.0)
+    rails-html-sanitizer (1.6.1)
       loofah (~> 2.21)
-      nokogiri (~> 1.14)
+      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
     railties (6.1.7.9)
       actionpack (= 6.1.7.9)
       activesupport (= 6.1.7.9)

diff --git a/lib/shopify_app/controller_concerns/frame_ancestors.rb b/lib/shopify_app/controller_concerns/frame_ancestors.rb
@@ -8,7 +8,10 @@ module FrameAncestors
       content_security_policy do |policy|
         policy.frame_ancestors(-> do
           domain_host = current_shopify_domain || "*.#{::ShopifyApp.configuration.myshopify_domain}"
-          "#{ShopifyAPI::Context.host_scheme}://#{domain_host} https://admin.#{::ShopifyApp.configuration.unified_admin_domain}"
+          [
+            "#{ShopifyAPI::Context.host_scheme}://#{domain_host}",
+            "https://admin.#{::ShopifyApp.configuration.unified_admin_domain}",
+          ]
         end)
       end
     end

diff --git a/lib/shopify_app/version.rb b/lib/shopify_app/version.rb
@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ShopifyApp
-  VERSION = "22.5.0"
+  VERSION = "22.5.1"
 end