Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump dompurify from 2.2.9 to 2.5.6 in /airflow/www #42263

Merged
merged 1 commit into from
Sep 17, 2024
Merged

Bump dompurify from 2.2.9 to 2.5.6 in /airflow/www #42263

merged 1 commit into from
Sep 17, 2024

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Sep 16, 2024

Bumps dompurify from 2.2.9 to 2.5.6.

Release notes

Sourced from dompurify's releases.

DOMPurify 2.5.6

  • Fixed an issue with the execution logic of attribute hooks to prevent bypasses, thanks @​kevin-mizu
  • Fixed a minor problem with the bower file pointing to the wrong dist path
  • Updated several development dependencies

DOMPurify 2.5.5

  • Fixed a minor issue with the dist paths in bower.js, thanks @​HakumenNC
  • Fixed a minor issue with sanitizing HTML coming from copy&paste Word content, thanks @​kakao-bishop-cho

DOMPurify 2.5.4

  • Fixed a bug with latest isNaN checks affecting MSIE, thanks @​tulach
  • Fixed the tests for MSIE and fixed related test-runner

DOMPurify 2.5.3

  • Fixed several mXSS variations found by and thanks to @​kevin-mizu & @​Ry0taK
  • Added better configurability for comment scrubbing default behavior
  • Added better hardening against Prototype Pollution attacks, thanks @​kevin-mizu
  • Fixed some smaller issues in README and other documentation

DOMPurify 2.5.2

  • Addressed and fixed a mXSS variation found by @​kevin-mizu
  • Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
  • Updated tests for older Safari and Chrome versions

DOMPurify 2.5.1

  • Fixed an mXSS sanitizer bypass reported by @​icesfont
  • Added new code to track element nesting depth
  • Added new code to enforce a maximum nesting depth of 255
  • Added coverage tests and necessary clobbering protections

Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.

DOMPurify 2.5.0

  • Added new setting SAFE_FOR_XML to enable better control over comment scrubbing
  • Updated the LICENSE file to show the accurate year number
  • Updated several build and test dependencies

DOMPurify 2.4.9

  • Fixed another conditional bypass caused by Processing Instructions, thanks @​Ry0taK
  • Fixed the regex for HTML Custom Element detection, thanks @​AlekseySolovey3T

DOMPurify 2.4.8

  • Fixed two possible bypasses when sanitizing an XML document and later using it in HTML, thanks @​Slonser

DOMPurify 2.4.7

DOMPurify 2.4.6

  • Fixed a bypass in jsdom 22 in case the noframes element is permitted, thanks @​leeN

... (truncated)

Commits
  • d78f241 chore: Preparing 2.5.6 release
  • 38e8410 fix: Added changes to 2.x regarding attribute value checks
  • 9a7cd98 See #961
  • de2545c chore: Preparing 2.5.5 release
  • f1e27e6 chore: Also removed depth counter logic from 2.x branch for now
  • 10c1261 docs: Updated README ever so slightly
  • 1c92880 test: Fixed two more tests for MSIE11 and Edge 18
  • 1401208 test: Fixed more tests for MSIE and Edge 18
  • 2c6410a test: Fixed several new tests for MSIE11 and Edge 18
  • 2c9bca9 test: Changed github config to include MSIE tests for 2.x
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump dompurify from 2.2.9 to 2.5.6 in /airflow/www
4ecf3a7 
Bumps [dompurify](https://github.com/cure53/DOMPurify) from 2.2.9 to 2.5.6.
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@2.2.9...2.5.6)

---
updated-dependencies:
- dependency-name: dompurify
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added area:dependencies Issues related to dependencies problems javascript Pull requests that update Javascript code labels Sep 16, 2024
@boring-cyborg boring-cyborg bot added area:UI Related to UI/UX. For Frontend Developers. area:webserver Webserver related Issues labels Sep 16, 2024
pierrejeambrun
pierrejeambrun approved these changes Sep 17, 2024
View reviewed changes
Copy link
Member

@pierrejeambrun pierrejeambrun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested locally in dev-mode and non dev-mode. Things are looking good.

@pierrejeambrun pierrejeambrun merged commit fc5f686 into main Sep 17, 2024
54 of 63 checks passed
@dependabot dependabot bot deleted the dependabot/npm_and_yarn/airflow/www/dompurify-2.5.6 branch September 17, 2024 08:53
@pierrejeambrun pierrejeambrun added this to the Airflow 2.10.3 milestone Sep 17, 2024
pierrejeambrun pushed a commit to astronomer/airflow that referenced this pull request Sep 17, 2024
@dependabot @pierrejeambrun
Bump dompurify from 2.2.9 to 2.5.6 in /airflow/www (apache#42263)
c92d7aa 
Bumps [dompurify](https://github.com/cure53/DOMPurify) from 2.2.9 to 2.5.6.
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@2.2.9...2.5.6)

---
updated-dependencies:
- dependency-name: dompurify
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
(cherry picked from commit fc5f686)
hussein-awala pushed a commit that referenced this pull request Sep 17, 2024
@pierrejeambrun @dependabot
Bump dompurify from 2.2.9 to 2.5.6 in /airflow/www (#42263) (#42270)
26140cf 
Bumps [dompurify](https://github.com/cure53/DOMPurify) from 2.2.9 to 2.5.6.
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@2.2.9...2.5.6)

---
updated-dependencies:
- dependency-name: dompurify
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
(cherry picked from commit fc5f686)

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
gopidesupavan pushed a commit to gopidesupavan/airflow that referenced this pull request Sep 17, 2024
@dependabot @gopidesupavan
Bump dompurify from 2.2.9 to 2.5.6 in /airflow/www (apache#42263)
c52a031 
Bumps [dompurify](https://github.com/cure53/DOMPurify) from 2.2.9 to 2.5.6.
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@2.2.9...2.5.6)

---
updated-dependencies:
- dependency-name: dompurify
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
joaopamaral pushed a commit to joaopamaral/airflow that referenced this pull request Oct 21, 2024
@dependabot @joaopamaral
Bump dompurify from 2.2.9 to 2.5.6 in /airflow/www (apache#42263)
d0905a2 
Bumps [dompurify](https://github.com/cure53/DOMPurify) from 2.2.9 to 2.5.6.
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@2.2.9...2.5.6)

---
updated-dependencies:
- dependency-name: dompurify
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@utkarsharma2 utkarsharma2 added the type:misc/internal Changelog: Misc changes that should appear in change log label Oct 23, 2024
utkarsharma2 pushed a commit that referenced this pull request Oct 23, 2024
@pierrejeambrun @dependabot @utkarsharma2
Bump dompurify from 2.2.9 to 2.5.6 in /airflow/www (#42263) (#42270)
b481dda 
Bumps [dompurify](https://github.com/cure53/DOMPurify) from 2.2.9 to 2.5.6.
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@2.2.9...2.5.6)

---
updated-dependencies:
- dependency-name: dompurify
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
(cherry picked from commit fc5f686)

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
utkarsharma2 pushed a commit that referenced this pull request Oct 24, 2024
@pierrejeambrun @dependabot @utkarsharma2
Bump dompurify from 2.2.9 to 2.5.6 in /airflow/www (#42263) (#42270)
3696fd0 
Bumps [dompurify](https://github.com/cure53/DOMPurify) from 2.2.9 to 2.5.6.
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@2.2.9...2.5.6)

---
updated-dependencies:
- dependency-name: dompurify
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
(cherry picked from commit fc5f686)

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pierrejeambrun pierrejeambrun pierrejeambrun approved these changes

@ryanahamilton ryanahamilton Awaiting requested review from ryanahamilton ryanahamilton is a code owner

@ashb ashb Awaiting requested review from ashb ashb is a code owner

@bbovenzi bbovenzi Awaiting requested review from bbovenzi bbovenzi is a code owner

@jscheffl jscheffl Awaiting requested review from jscheffl jscheffl is a code owner

Assignees
No one assigned
Labels
area:dependencies Issues related to dependencies problems area:UI Related to UI/UX. For Frontend Developers. area:webserver Webserver related Issues javascript Pull requests that update Javascript code type:misc/internal Changelog: Misc changes that should appear in change log
Projects
None yet
Milestone
Airflow 2.10.3
Development

Successfully merging this pull request may close these issues.
2 participants
@pierrejeambrun @utkarsharma2