Bump sylius/sylius from 1.4.3 to 1.6.9

[dependabot[bot]]

Bumps sylius/sylius from 1.4.3 to 1.6.9.

Release notes

Sourced from sylius/sylius's releases.

v1.6.9

• #11369 [Docs] Don't use $HOME in SymfonyCloud deployment cookbook (@tucksaun)
• #11387 Remove the doc reference to a promotion action that no longer exists in Core. (@gabiudrescu)
• #11391 Fallback to the locale code if the associated name isn't found (@dunglas)
• #11390 Bug #9738 Fix nested form collections (@vic-blt)
• #11403 Fix Autolabeler configuration (@Zales0123)
• #11416 doc : add the composer dump-autoload instruction (@davidroberto)
• #11450 [Docs] Enable redirections on ReadTheDocs (@pamil)
• #11452 [Docs] Fix redirection for backwards compatibility promise (@pamil)
• #11944 [Shop] Disabling customer when email has been changed (@lchrusciel)

v1.6.8

• #11018 Fix: Check PropertyPath value for add error to form (@Coosos)
• #11191 Separated order items subtotal calculation logic from twig extension (@4c0n)
• #11341 [Maintenance] Upgrade packages dependencies & fix 1.6 build (@lchrusciel)
• #11342 [Maintenance] Remove memory swap (@lchrusciel)
• #11346 [ADMIN] fix closed gateway config field in payment method form (@bigboss86)
• #11363 Introduce Probot Autolabeler (@Zales0123)
• #11364 fix #11362 : ignore channel locale listener on profiler routes (@thi3rry)
• #11380 Use !default for SCSS variables to allow overriding them (@pamil)

v1.6.5

CVE-2020-5218: Ability to switch channels via GET parameter enabled in production environments

Please refer to the original security advisory for the most updated information.

Impact:

This vulnerability gives the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when %kernel.debug% is set to true.

However, if no sylius_channel.debug is set explicitly in the configuration, the default value which is %kernel.debug% will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false.

Patches:

Patch has been provided for Sylius 1.3.x and newer - 1.3.16, 1.4.12, 1.5.9, 1.6.5. Versions older than 1.3 are not covered by our security support anymore.

Workarounds:

Unsupported versions could be patched by adding the following configuration to run in production:

sylius_channel:
    debug: false

Details

• #10296 Product show page (@kulczy, @AdamKasp)
• #10342 [Fixture] Togglable default locale loading (@lchrusciel)
• #10355 Adding a coupon generator command (@mamazu)

... (truncated)

Changelog

Sourced from sylius/sylius's changelog.

CHANGELOG FOR 1.4.X

v1.4.12 (2020-01-27)

CVE-2020-5218: Ability to switch channels via GET parameter enabled in production environments

Please refer to the original security advisory for the most updated information.

Impact:

This vulnerability gives the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when %kernel.debug% is set to true.

However, if no sylius_channel.debug is set explicitly in the configuration, the default value which is %kernel.debug% will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false.

Patches:

Patch has been provided for Sylius 1.3.x and newer - 1.3.16, 1.4.12, 1.5.9, 1.6.5. Versions older than 1.3 are not covered by our security support anymore.

Workarounds:

Unsupported versions could be patched by adding the following configuration to run in production:

sylius_channel:
    debug: false

v1.4.10, v1.4.11 (2019-12-03, 2019-12-05)

CVE-2019-16768: Internal exception message exposure in login action.

Details:

Exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer.

A validation message with the exception details will be presented to the user when one will try to log into the shop.

Solution:

This release patches the reported vulnerability. The src/Sylius/Bundle/UiBundle/Resources/views/Security/_login.html.twig file from Sylius should be overridden and {{ messages.error(last_error.message) }} changed to {{ messages.error(last_error.messageKey) }}.

v1.4.9 (2019-10-09)

The last bugfix release for v1.4.x.

Details

... (truncated)

Commits

• 9ac0c41 Generate changelog for v1.6.9
• 0e043be [Release] Change application version to v1.6.9
• c429c1e bug #11944 [Shop] Disabling customer when email has been changed (lchrusciel)
• 2b6d575 [Behat] Remove dead class
• f9c02e7 [Maintenance] Adjusting symfony.lock to lowest supported PHP version
• 8ce48a8 [Shop] Move email updater listener definition to proper folder
• e5bb1bc [Core] Test tag resolver compiler pass
• c8b0f40 [Core] Add tag resolver compiler pass
• ca512d0 [Admin][Shop][AdminApi] Section resolvers implemented
• 96e1e08 [Composer] Conflict Doctrine/Inflector
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/SplashSync/Sylius-Bundle/network/alerts).

[dependabot[bot]]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.