Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump govuk_publishing_components from 23.10.1 to 23.12.1 #2379

Merged

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jan 11, 2021

Bumps govuk_publishing_components from 23.10.1 to 23.12.1.

Changelog

Sourced from govuk_publishing_components's changelog.

23.12.1

23.12.0

23.11.1

23.11.0

  • Replace transition countdown component with sidebar partial (PR #1845)

23.10.2

Commits
  • 1f6eeb2 Merge pull request #1861 from alphagov/new-23.12.1
  • 66c0d94 Bump to 23.12.1
  • e17aec2 Merge pull request #1860 from alphagov/dependabot/bundler/govuk_app_config-2.8.2
  • 6608652 Merge pull request #1859 from alphagov/dependabot/bundler/rails-6.1.1
  • cd0ed9d Merge pull request #1857 from alphagov/dependabot/bundler/nokogiri-1.11.1
  • 4c77f65 Merge pull request #1856 from alphagov/dependabot/bundler/gds-api-adapters-68...
  • a944b65 Merge pull request #1858 from alphagov/escape-dangerous-html
  • 46263d7 Bump govuk_app_config from 2.8.1 to 2.8.2
  • e18c5af Bump rails from 6.0.3.4 to 6.1.1
  • f80ce6b Escape dangerous HTML in 'Machine readable metadata' component
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added dependencies ruby Pull requests that update Ruby code labels Jan 11, 2021
@bevanloon bevanloon temporarily deployed to govuk-static-dependabot-xck3lr January 11, 2021 06:12 Inactive
@ChrisBAshton ChrisBAshton merged commit a597747 into master Jan 11, 2021
@ChrisBAshton ChrisBAshton deleted the dependabot/bundler/govuk_publishing_components-23.12.1 branch January 11, 2021 09:40
ChrisBAshton added a commit that referenced this pull request Jan 12, 2021
We have to `require "active_support/time"` to define these helper
methods, which are used to set the Cache-Control header in the
[test][] and [development][] environments.

I don't know why bumping the govuk_publishing_components gem from
v23.10.1 to v23.12.1 has caused this issue in both [Static][]
and [Feedback][] (nor why the tests passed on the PR and only
subsequently failed after merge).

Looking at the Gemfile.lock changes in Static (in
7c79e8d), there's no obvious
culprit there. I tried reverting the versions of all dependencies
except govuk_publishing_components, but the issue remained.

Looking at the [diff between the gem versions][diff], there are
no code changes that could have caused this, but there are a
number of Gemfile.lock changes including a minor bump in
`activesupport`, from 6.0 to 6.1, but we've already
[upgraded activesupport via a rails bump][rails-bump], so I'm
not sure why that would be an issue.

It won't be a good use of time to investigate too much further,
so I'm happy that this is a harmless change which unblocks us
from deploying an important fix.

Trello: https://trello.com/c/YhIIykse/2291-3-fix-cross-site-scripting-vulnerabilities

[diff]: https://github.com/alphagov/govuk_publishing_components/compare/v23.10.1..v23.12.1
[development]: https://github.com/alphagov/static/blob/8d40903636dba086f855e3f18a99fa02af5055b8/config/environments/development.rb#L23
[test]: https://github.com/alphagov/static/blob/c2b5079b83094b540ad600663fe656a87bb50df9/config/environments/test.rb#L19
[Static]: #2379
[Feedback]: alphagov/feedback#1149
[rails-bump]: 962f64a
ChrisBAshton added a commit to alphagov/feedback that referenced this pull request Jan 12, 2021
We have to `require "active_support/time"` to define the helper methods
we use to set the Cache-Control header in the [test environment][usage].

I don't know why bumping the govuk_publishing_components gem from
v23.10.1 to v23.12.1 has caused this issue in both [Static][]
and [Feedback][] (nor why the tests passed on the PR and only
subsequently failed after merge).

I write up an investigation in alphagov/static#2384,
but have nothing conclusive. It won't be a good use of time to
investigate too much further, so I'm happy that this is a harmless
change which unblocks us from deploying an important fix.

Trello: https://trello.com/c/YhIIykse/2291-3-fix-cross-site-scripting-vulnerabilities

[Static]: alphagov/static#2379
[Feedback]: #1149
[usage]: https://github.com/alphagov/feedback/blob/1cfe51bc39ec48f2cba0c502b15720fdc4dbbcd2/config/environments/test.rb#L14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies ruby Pull requests that update Ruby code
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants