Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): bump angular-cookies from 1.7.9 to 1.8.0 #104

Merged

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Aug 7, 2020

⚠️ Dependabot is rebasing this PR ⚠️

If you make any changes to it yourself then they will take precedence over the rebase.


Bumps angular-cookies from 1.7.9 to 1.8.0.

Changelog

Sourced from angular-cookies's changelog.

1.8.0 nested-vaccination (2020-06-01)

This release contains a breaking change to resolve a security issue which was discovered by Krzysztof Kotowicz(@koto); and independently by Esben Sparre Andreasen (@esbena) while performing a Variant Analysis of CVE-2020-11022 which itself was found and reported by Masato Kinugawa (@masatokinugawa).

Bug Fixes

  • jqLite:
    • prevent possible XSS due to regex-based HTML replacement (2df43c)

Breaking Changes

jqLite due to:

  • 2df43c: prevent possible XSS due to regex-based HTML replacement

JqLite no longer turns XHTML-like strings like <div /><span /> to sibling elements <div></div><span></span> when not in XHTML mode. Instead it will leave them as-is. The browser, in non-XHTML mode, will convert these to: <div><span></span></div>.

This is a security fix to avoid an XSS vulnerability if a new jqLite element is created from a user-controlled HTML string. If you must have this functionality and understand the risk involved then it is posible to restore the original behavior by calling

angular.UNSAFE_restoreLegacyJqLiteXHTMLReplacement();

But you should adjust your code for this change and remove your use of this function as soon as possible.

Note that this only patches jqLite. If you use jQuery 3.5.0 or newer, please read the jQuery 3.5 upgrade guide for more details about the workarounds.

Commits
  • e55d352 docs(*): update changelog for 1.8.0
  • 78ab691 chore(*): prep for 1.8.0
  • 59b5651 docs(ngRepeat): missing closing backtick
  • c8b7c16 fix(jqLite): improve documentation
  • 05cf606 fix(jqLite): apply suggestions from code review
  • 2df43c0 fix(jqLite): prevent possible XSS due to regex-based HTML replacement
  • 295213d chore(*): clean up package.json and CircleCI config
  • a31c207 chore(docs-app): remove document.write() from docs index.html
  • 2518966 fix(grunt-utils): insert the core CSS styles without using innerHTML
  • 7de25c8 chore(ci): ensure that deployment files are ready for deployment
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Aug 7, 2020
@liangyuanruo
Copy link
Contributor

@karrui i forgot - we have to upgrade related peer dependencies of AngularJS as well. there's a bunch of them on v1.7.9 in package.json

@liangyuanruo liangyuanruo merged commit 3ed9dbb into develop Aug 7, 2020
@liangyuanruo liangyuanruo deleted the dependabot/npm_and_yarn/angular-cookies-1.8.0 branch August 7, 2020 08:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant