Do not parse sourcemaps in post-css. This fixes a vulnerability in which information about the existence or non-existence of files on a server could be disclosed via properly crafted HTML input when the style attribute is allowed by the configuration. Thanks to the Snyk Security team for the disclosure and to Dylan Armstrong for the fix.
2.12.0 (2024-02-21)
Introduced the allowedEmptyAttributes option, enabling explicit specification of empty string values for select attributes, with the default attribute set to alt. Thanks to Na for the contribution.
Clarified the use of SVGs with a new test and changes to documentation. Thanks to Gauav Kumar for the contribution.
Do not process source maps when processing style tags with PostCSS.
Commits
4a7d7dd Merge pull request #654 from apostrophecms/release-2.12.1
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/OriginProtocol/oeth.com/network/alerts).
dependabot[bot]
commented
2 weeks ago
Bumps the npm_and_yarn group with 6 updates in the / directory:
1.5.11.6.013.4.1914.2.32.11.02.12.17.22.117.24.51.78.41.91.81.15.31.15.6Updates
axiosfrom 1.5.1 to 1.6.0Release notes
Sourced from axios's releases.
Changelog
Sourced from axios's changelog.
Commits
f7adacdchore(release): v1.6.0 (#6031)9917e67chore(ci): fix release-it arg; (#6032)96ee232fix(CSRF): fixed CSRF vulnerability CVE-2023-45857 (#6028)7d45ab2chore(tests): fixed tests to pass in node v19 and v20 withkeep-aliveenabl...5aaff53fix(dns): fixed lookup function decorator to work properly in node v20; (#6011)a48a63achore(docs): added AxiosHeaders docs; (#5932)a1c8ad0fix(types): fix AxiosHeaders types; (#5931)2ac731dchore(docs): update readme.md (#5889)Updates
nextfrom 13.4.19 to 14.2.3Release notes
Sourced from next's releases.
... (truncated)
Commits
2e7a96av14.2.3a230be4Clean-up fetch metrics tracking (#64746)73c2d63fix: remove traceparent from cachekey should not remove traceparent from orig...dd44191fix root page revalidation when redirecting in a server action (#64730)8b4c234prevent erroneous route interception during lazy fetch (#64692)d6a7ca0fix(fetch-cache): fix additional typo, add type & data validation (#64799)4a6b511Fix next/image usage in mdx (#64875)04cc13cFix mixed exports in server component with barrel optimization (#64894)8d01d49fix: mixing namespace import and named import client components (#64809)de84e3aFix: resolve mixed re-exports module as cjs (#64681)Updates
sanitize-htmlfrom 2.11.0 to 2.12.1Changelog
Sourced from sanitize-html's changelog.
Commits
4a7d7ddMerge pull request #654 from apostrophecms/release-2.12.1f8e02berelease 2.12.1c5dbdf7Merge pull request #650 from dylanarmstrong/fix/ignore-source-maps5a5a74eMerge pull request #652 from apostrophecms/add-thanks-to-changelogee71ff0Add community contribution thanks youa226fe7Merge pull request #651 from apostrophecms/release-2.12.0ff18600release 2.12.01e2294ctest: added test for postcss mapc376501doc: update changelog075499dfix: ignore source maps when processing with postcssUpdates
postcssfrom 8.4.30 to 8.4.31Release notes
Sourced from postcss's releases.
Changelog
Sourced from postcss's changelog.
Commits
90208deRelease 8.4.31 version58cc860Fix carrier return parsing4fff8e4Improve pnpm test outputcd43ed1Update dependenciescaa916bUpdate dependencies8972f76Typo11a5286TypoUpdates
@babel/traversefrom 7.22.11 to 7.24.5Release notes
Sourced from
@babel/traverse's releases.... (truncated)
Changelog
Sourced from
@babel/traverse's changelog.... (truncated)
Commits
ddbea7dv7.24.5e779cadfix: TypeScript annotation affects output (#16377)ee48754Use multiple TypeScript projects (#16430)4d8b2d0MakeNodePath\<T | U>distributive (#16439)a84ec28Enableeqeqeqrule (#16404)822b025v7.24.1fc0d5adUpdate typescript and lint tools (#16351)69e7928Consider well-known and registered symbols as literals (#16342)40110e9Update source map deps (#16327)ce59160v7.24.0Updates
@solana/web3.jsfrom 1.78.4 to 1.91.8Release notes
Sourced from
@solana/web3.js's releases.... (truncated)
Commits
4ea9bc9fix:@solana/web3.jsshould now be compatible with Vercel Edge runtime7b4f787Updaterpc-websocketsto 7.11.0 (#2610)f23c878Apply default input dependencies to every Turbo step (#2609)37bb626chore: bump@typescript-eslint/parserfrom 6.8.0 to 6.21.0 (#2604)b179c89chore: bump turbo from 1.13.0 to 1.13.3 (#2603)3554a13refactor(experimental): graphql: token-2022 extensions: cpi guard7c9a91erefactor(experimental): graphql: token-2022 extensions: default account state8f5af23refactor(experimental): graphql: token-2022 extensions: transfer hook4d84c7brefactor(experimental): graphql: token-2022 extensions: group member pointer37b8e09refactor(experimental): graphql: token-2022 extensions: group pointerMaintainer changes
This version was pushed to npm by lorisleiva, a new releaser for
@solana/web3.js since your current version.Updates
follow-redirectsfrom 1.15.3 to 1.15.6Commits
35a517cRelease version 1.15.6 of the npm package.c4f847fDrop Proxy-Authorization across hosts.8526b4aUse GitHub for disclosure.b1677ceRelease version 1.15.5 of the npm package.d8914f7Preserve fragment in responseUrl.6585820Release version 1.15.4 of the npm package.7a6567eDisallow bracketed hostnames.05629afPrefer native URL instead of deprecated url.parse.1cba8e8Prefer native URL instead of legacy url.resolve.72bc2a4Simplify _processResponse error handling.Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show