[Security] Bump swagger-ui from 3.17.6 to 3.23.11

[dependabot-preview]

Bumps swagger-ui from 3.17.6 to 3.23.11. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

High severity vulnerability that affects swagger-ui
A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@​import within the JSON data was a functional attack method.

Affected versions: < 3.23.11

Release notes

Sourced from swagger-ui's releases.

Swagger UI 3.23.11 Released!

⚠️ This release contains a security fix that addresses a CSS-based input field value exfiltration vulnerability. If you use Swagger UI to display untrusted OpenAPI documents, you should upgrade to this version ASAP.

Changelog

• fix: mitigate "sequential @import chaining" vulnerability (via #5616)

Swagger UI 3.23.10 Released!

This release fixes two bugs: one visual issue within static documentation, and another within runtime validation for Array-typed parameters.

Changelog

• fix: <Select disabled> for type: string + enum schemas (#5601)
• fix: accept string-represented values in required array runtime validation (#5609)

Swagger UI 3.23.9 Released!

This release changes the default value for the validatorUrl configuration option from https://online.swagger.io/validator to https://validator.swagger.io/validator.

Swagger UI 3.23.8 Released!

This release fixes an issue with Swagger 2.0 required body parameter runtime validation (#5583) that was introduced in v3.23.7.

Swagger UI 3.23.7 Released!

This release includes new support for display and Try-It-Out functionality of OAS 3.0 Parameter.content values.

Changelog

• feature: support for Parameter.content (#5571)
• housekeeping(dev-deps): [email protected]
• 43db164a 2019-08-27 | docs: clarify that preauthorizeApiKey works for OAS3 Bearer auth too (#5566)

Swagger UI 3.23.6 Released!

This release fixes a React warning originating in Swagger UI and a CSS class name collision with Bootstrap 4.0.

It also includes several in-range updates to minimum dependency versions.

Changelog

• fix: React warning related to "true" used as boolean (via #5497)
• fix: remove .col class that causes collision with Bootstrap (via #5541)

Swagger UI 3.23.5 Released!

This release includes a fix to our Markdown parsing implementation that should resolve display issues with certain Markdown strings.

Changelog

• fix: remove problematic Markdown optimization (via #5520)

Swagger UI 3.23.4 Released!

Changelog

• housekeeping: @kyleshockey/js-yaml -> js-yaml (via #5511)

... (truncated)

Commits

• 77f4651 release: v3.23.11
• 5f6ec8c fix: mitigate "sequential @​import chaining" vulnerability (#5616)
• c8ad396 release: v3.23.10
• 00c8e96 fix: accept string-represented values in required array runtime validation (#...
• 85f2bf3 fix: <Select disabled> for type: string + enum schemas (#5601)
• f523ec4 housekeeping: reorganize and rewire Mocha tests (#5600)
• c3890c2 release: v3.23.9
• 94c86d3 improvement: online.swagger.io -> validator.swagger.io (#5599)
• 7cae0d2 release: v3.23.8
• 4ebbc04 fix: 2.0 object parameter validation (#5583)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[Br3nda]

Failed to connect to "sauce"
@maukoquiroga What does sauce do for us?
I don't have permission to restart the build on circle ci - it might just need to try again.

[bonjourmauko]

Hello @Br3nda, sauce is for e2e testing. It's been failing lately, i'll try to take a look. Weird you can't restart the build...

[bonjourmauko]

@Br3nda so now this one id broken for the good reasons! 😅

[bonjourmauko]

So this will require some work prior.