search

Altinity / clickhouse-grafana

Altinity Grafana datasource plugin for ClickHouse®
MIT License
716 stars 120 forks source link

Bump @braintree/sanitize-url, @grafana/data and @grafana/toolkit #470

Closed dependabot[bot] closed 1 year ago

dependabot[bot] commented 1 year ago

Bumps @braintree/sanitize-url to 6.0.1 and updates ancestor dependencies @braintree/sanitize-url, @grafana/data and @grafana/toolkit. These dependencies need to be updated together.

Updates @braintree/sanitize-url from 4.0.0 to 6.0.1

Changelog

Sourced from @​braintree/sanitize-url's changelog.

6.0.1

  • Fix issue where urls in the form javascript:alert('xss'); were not properly sanitized
  • Fix issue where urls in the form javasc	ript:alert('XSS'); were not properly sanitized

6.0.0

Breaking Changes

  • Decode HTML characters automatically that would result in an XSS vulnerability when rendering links via a server rendered HTML file
// decodes to javacript:alert('XSS')
const vulnerableUrl =
  "&[#0000106](https://github.com/braintree/sanitize-url/issues/0000106)&[#0000097](https://github.com/braintree/sanitize-url/issues/0000097)&[#0000118](https://github.com/braintree/sanitize-url/issues/0000118)&[#0000097](https://github.com/braintree/sanitize-url/issues/0000097)&[#0000115](https://github.com/braintree/sanitize-url/issues/0000115)&[#0000099](https://github.com/braintree/sanitize-url/issues/0000099)&[#0000114](https://github.com/braintree/sanitize-url/issues/0000114)&[#0000105](https://github.com/braintree/sanitize-url/issues/0000105)&[#0000112](https://github.com/braintree/sanitize-url/issues/0000112)&[#0000116](https://github.com/braintree/sanitize-url/issues/0000116)&[#0000058](https://github.com/braintree/sanitize-url/issues/0000058)&[#0000097](https://github.com/braintree/sanitize-url/issues/0000097)&[#0000108](https://github.com/braintree/sanitize-url/issues/0000108)&[#0000101](https://github.com/braintree/sanitize-url/issues/0000101)&[#0000114](https://github.com/braintree/sanitize-url/issues/0000114)&[#0000116](https://github.com/braintree/sanitize-url/issues/0000116)&[#0000040](https://github.com/braintree/sanitize-url/issues/0000040)&[#0000039](https://github.com/braintree/sanitize-url/issues/0000039)&[#0000088](https://github.com/braintree/sanitize-url/issues/0000088)&[#0000083](https://github.com/braintree/sanitize-url/issues/0000083)&[#0000083](https://github.com/braintree/sanitize-url/issues/0000083)&[#0000039](https://github.com/braintree/sanitize-url/issues/0000039)&[#0000041](https://github.com/braintree/sanitize-url/issues/0000041)";

sanitizeUrl(vulnerableUrl); // 'about:blank'


const okUrl = "https://example.com/" + vulnerableUrl;


// since the javascript bit is in the path instead of the protocol
// this is successfully sanitized
sanitizeUrl(okUrl); // 'https://example.com/javascript:alert('XSS');

5.0.2

  • Fix issue where certain invisible white space characters were not being sanitized (#35)

5.0.1

  • Fix issue where certain safe characters were being filtered out (#31 thanks @​akirchmyer)

5.0.0

Breaking Changes

4.1.1

  • Fixup path to type declaration (closes #25)

4.1.0

  • Add typescript types

4.0.1

  • Fix issue where urls with accented characters were incorrectly sanitized
Commits
Maintainer changes

This version was pushed to npm by braintree, a new releaser for @​braintree/sanitize-url since your current version.


Updates @grafana/data from 9.2.0 to 9.3.6

Release notes

Sourced from @​grafana/data's releases.

9.3.6 (2023-01-26)

Download page What's new highlights

Bug fixes

  • QueryEditorRow: Fixes issue loading query editor when data source variable selected. #61927, @​torkelo

9.3.4 (2023-01-25)

Download page What's new highlights

Features and enhancements

Bug fixes

9.3.2 (2022-12-16)

Download page What's new highlights

Features and enhancements

... (truncated)

Changelog

Sourced from @​grafana/data's changelog.

9.3.6 (2023-01-26)

Bug fixes

  • QueryEditorRow: Fixes issue loading query editor when data source variable selected. #61927, @​torkelo

9.3.4 (2023-01-25)

Features and enhancements

Bug fixes

9.3.2 (2023-12-13)

Features and enhancements

Bug fixes

... (truncated)

Commits
  • 978237e Release: Bump version to 9.3.6 (#743)
  • 77b7420 Release: Bump version to 9.3.5 (#729)
  • 24abde9 [v9.3.x] DataFrame: Add explicit histogram frame type (panel & transforms)
  • 62984d2 [v9.3.x] TimeSeries: Fix y-axis Yes/No and On/Off boolean units (#61208)
  • a4b7019 [v9.3.x] Plugins: add option to proxy ds connections through a secure socks p...
  • 55b87d5 Release: Bump version to 9.3.3 (#60429)
  • 8c9b6ef [v9.3.x] Transformations: Fix bug in convert fields boolean to number (#60355)
  • 4f68c4e [9.3.x] Backport Contexthandler: Add uname as response header #59930 (#59951)
  • 3adad3c Users: Use Remote Cache for storing signed in users [v9.3.x] (#59883) (#59934)
  • a32d25b Auth: Session cache [v9.3.x] (#59937)
  • Additional commits viewable in compare view


Updates @grafana/toolkit from 7.5.12 to 9.3.6

Release notes

Sourced from @​grafana/toolkit's releases.

9.3.6 (2023-01-26)

Download page What's new highlights

Bug fixes

  • QueryEditorRow: Fixes issue loading query editor when data source variable selected. #61927, @​torkelo

9.3.4 (2023-01-25)

Download page What's new highlights

Features and enhancements

Bug fixes

9.3.2 (2022-12-16)

Download page What's new highlights

Features and enhancements

... (truncated)

Changelog

Sourced from @​grafana/toolkit's changelog.

9.3.6 (2023-01-26)

Bug fixes

  • QueryEditorRow: Fixes issue loading query editor when data source variable selected. #61927, @​torkelo

9.3.4 (2023-01-25)

Features and enhancements

Bug fixes

9.3.2 (2023-12-13)

Features and enhancements

Bug fixes

... (truncated)

Commits


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/Altinity/clickhouse-grafana/network/alerts).
dependabot[bot] commented 1 year ago

Looks like these dependencies are up-to-date now, so this is no longer needed.