Closed dependabot[bot] closed 1 year ago
Bumps @braintree/sanitize-url to 6.0.1 and updates ancestor dependencies @braintree/sanitize-url, @grafana/data, @grafana/runtime and @grafana/ui. These dependencies need to be updated together.
Updates @braintree/sanitize-url from 4.0.0 to 6.0.1
@braintree/sanitize-url
Sourced from @braintree/sanitize-url's changelog.
@braintree/sanitize-url
6.0.1 Fix issue where urls in the form javascript:alert('xss'); were not properly sanitized Fix issue where urls in the form javasc	ript:alert('XSS'); were not properly sanitized 6.0.0 Breaking Changes Decode HTML characters automatically that would result in an XSS vulnerability when rendering links via a server rendered HTML file // decodes to javacript:alert('XSS') const vulnerableUrl = "&[#0000106](https://github.com/braintree/sanitize-url/issues/0000106)&[#0000097](https://github.com/braintree/sanitize-url/issues/0000097)&[#0000118](https://github.com/braintree/sanitize-url/issues/0000118)&[#0000097](https://github.com/braintree/sanitize-url/issues/0000097)&[#0000115](https://github.com/braintree/sanitize-url/issues/0000115)&[#0000099](https://github.com/braintree/sanitize-url/issues/0000099)&[#0000114](https://github.com/braintree/sanitize-url/issues/0000114)&[#0000105](https://github.com/braintree/sanitize-url/issues/0000105)&[#0000112](https://github.com/braintree/sanitize-url/issues/0000112)&[#0000116](https://github.com/braintree/sanitize-url/issues/0000116)&[#0000058](https://github.com/braintree/sanitize-url/issues/0000058)&[#0000097](https://github.com/braintree/sanitize-url/issues/0000097)&[#0000108](https://github.com/braintree/sanitize-url/issues/0000108)&[#0000101](https://github.com/braintree/sanitize-url/issues/0000101)&[#0000114](https://github.com/braintree/sanitize-url/issues/0000114)&[#0000116](https://github.com/braintree/sanitize-url/issues/0000116)&[#0000040](https://github.com/braintree/sanitize-url/issues/0000040)&[#0000039](https://github.com/braintree/sanitize-url/issues/0000039)&[#0000088](https://github.com/braintree/sanitize-url/issues/0000088)&[#0000083](https://github.com/braintree/sanitize-url/issues/0000083)&[#0000083](https://github.com/braintree/sanitize-url/issues/0000083)&[#0000039](https://github.com/braintree/sanitize-url/issues/0000039)&[#0000041](https://github.com/braintree/sanitize-url/issues/0000041)"; sanitizeUrl(vulnerableUrl); // 'about:blank' const okUrl = "https://example.com/" + vulnerableUrl; // since the javascript bit is in the path instead of the protocol // this is successfully sanitized sanitizeUrl(okUrl); // 'https://example.com/javascript:alert('XSS'); 5.0.2 Fix issue where certain invisible white space characters were not being sanitized (#35) 5.0.1 Fix issue where certain safe characters were being filtered out (#31 thanks @akirchmyer) 5.0.0 Breaking Changes Sanitize vbscript urls (thanks @vicnicius) 4.1.1 Fixup path to type declaration (closes #25) 4.1.0 Add typescript types 4.0.1 Fix issue where urls with accented characters were incorrectly sanitized
javascript:alert('xss');
javasc	ript:alert('XSS');
Breaking Changes
// decodes to javacript:alert('XSS') const vulnerableUrl = "&[#0000106](https://github.com/braintree/sanitize-url/issues/0000106)&[#0000097](https://github.com/braintree/sanitize-url/issues/0000097)&[#0000118](https://github.com/braintree/sanitize-url/issues/0000118)&[#0000097](https://github.com/braintree/sanitize-url/issues/0000097)&[#0000115](https://github.com/braintree/sanitize-url/issues/0000115)&[#0000099](https://github.com/braintree/sanitize-url/issues/0000099)&[#0000114](https://github.com/braintree/sanitize-url/issues/0000114)&[#0000105](https://github.com/braintree/sanitize-url/issues/0000105)&[#0000112](https://github.com/braintree/sanitize-url/issues/0000112)&[#0000116](https://github.com/braintree/sanitize-url/issues/0000116)&[#0000058](https://github.com/braintree/sanitize-url/issues/0000058)&[#0000097](https://github.com/braintree/sanitize-url/issues/0000097)&[#0000108](https://github.com/braintree/sanitize-url/issues/0000108)&[#0000101](https://github.com/braintree/sanitize-url/issues/0000101)&[#0000114](https://github.com/braintree/sanitize-url/issues/0000114)&[#0000116](https://github.com/braintree/sanitize-url/issues/0000116)&[#0000040](https://github.com/braintree/sanitize-url/issues/0000040)&[#0000039](https://github.com/braintree/sanitize-url/issues/0000039)&[#0000088](https://github.com/braintree/sanitize-url/issues/0000088)&[#0000083](https://github.com/braintree/sanitize-url/issues/0000083)&[#0000083](https://github.com/braintree/sanitize-url/issues/0000083)&[#0000039](https://github.com/braintree/sanitize-url/issues/0000039)&[#0000041](https://github.com/braintree/sanitize-url/issues/0000041)"; sanitizeUrl(vulnerableUrl); // 'about:blank' const okUrl = "https://example.com/" + vulnerableUrl; // since the javascript bit is in the path instead of the protocol // this is successfully sanitized sanitizeUrl(okUrl); // 'https://example.com/javascript:alert('XSS');
sanitizeUrl(vulnerableUrl); // 'about:blank'
const okUrl = "https://example.com/" + vulnerableUrl;
// since the javascript bit is in the path instead of the protocol // this is successfully sanitized sanitizeUrl(okUrl); // 'https://example.com/javascript:alert('XSS');
@akirchmyer
@vicnicius
ab8d43d
768e954
d4bdc89
b70161d
eb4a764
071dbfb
34fc643
5c0b288
8f7371c
abff5b1
This version was pushed to npm by braintree, a new releaser for @braintree/sanitize-url since your current version.
Updates @grafana/data from 7.5.11 to 9.3.0-beta1
@grafana/data
Sourced from @grafana/data's releases.
@grafana/data
9.3.0-beta1 (2022-11-15) Download page What's new highlights Features and enhancements Alerting: Add Alertmanager choice warning. #55311, @konrad147 Alerting: Add support for linking external images securely - Azure Blob (#1). #56598, @petr-stupka Alerting: Add threshold expression. #55102, @gillesdemey Alerting: Add traceability headers for alert queries. #57127, @alexweav Alerting: Allow none provenance alert rule creation from provisioning API. #58410, @alexmobo Alerting: Cache result of dashboard ID lookups. #56587, @alexweav Alerting: Expressions pipeline redesign. #54601, @gillesdemey Alerting: Fall back to "range" query type for unified alerting when "both" is specified. #57288, @gillesdemey Alerting: Implement the Webex notifier. #58480, @gotjosh Alerting: Improve group modal with validation on evaluation interval. #57830, @soniaAguilarPeiron Alerting: Persist annotations from multidimensional rules in batches. #56575, @alexweav Alerting: Query time logging. #57585, @konrad147 Alerting: Remove the alert manager selection from the data source configuration. #57369, @VikaCep Alerting: Remove the alert manager selection from the data source configuration. #56460, @gitstart Alerting: Support values in notification templates. #56457, @grobinson-grafana Alerting: Templated URLs for webhook type contact points. #57296, @santihernandezc Annotations: Disable "Add annotation" button when annotations are disabled. #57481, @ryantxu Auth: Add validation and ingestion of conflict file. #53014, @eleijonmarck Auth: Make built-in login configurable. #46978, @TsotosA Auth: Refresh OAuth access_token automatically using the refresh_token. #56076, @mgyongyosi Auth: Validate Azure ID token version on login is not v1. #58088, @Jguer BackendSrv: Make it possible to pass options to .get|post|patch... methods. #51316, @leventebalogh Canvas: Add tabs to inline editor. #57778, @adela-almasan Canvas: Extend root context menu. #58097, @adela-almasan Chore: Switch Grafana to using faro libraries. #58186, @tolzhabayev Chore: Use strings.ReplaceAll and preallocate containers. #58483, @sashamelentyev CloudWatch: Cache resource request responses in the browser. #57082, @sunker Config: Change jwt config value to be "expect_claims". #58284, @conorevans Configuration: Update ssl_mode documentation in sample.ini to match default.ini. #55138, @alecxvs Correlations: Add query editor and target field to settings page. #55567, @Elfo404 Dashboard: Record the number of cached queries for usage insights. #56050, @juanicabanas Dashboard: Record the number of cached queries for usage insights. (Enterprise) Datasources: Support mixed datasources in a single query. #56832, @mmandrus Docs: Add documentation for Custom Branding on Public Dashboards. #58090, @leandro-deveikis Docs: Add missing documentation for enterprise features. #56753, @mmandrus Docs: Clarify that audit logs are generated only for API requests. #57521, @spinillos Echo: Add config option to prevent duplicate page views for GA4. #57619, @tolzhabayev Elasticsearch: Add trace to logs functionality. #58063, @ivanahuckova Elasticsearch: Reuse http client in the backend. #55172, @gabor Explore: Add tracesToMetrics span time shift options (#54710). #55335, @hanjm Explore: Logs volume histogram: always start Y axis from zero. #56200, @gabor Explore: Remove explore2Dashboard feature toggle. #58329, @Elfo404
Download page What's new highlights
@konrad147
@petr-stupka
@gillesdemey
@alexweav
@alexmobo
@gotjosh
@soniaAguilarPeiron
@VikaCep
@gitstart
@grobinson-grafana
@santihernandezc
@ryantxu
@eleijonmarck
@TsotosA
@mgyongyosi
@Jguer
options
.get|post|patch...
@leventebalogh
@adela-almasan
@tolzhabayev
@sashamelentyev
@sunker
@conorevans
@alecxvs
@Elfo404
@juanicabanas
@mmandrus
@leandro-deveikis
@spinillos
@ivanahuckova
@gabor
@hanjm
... (truncated)
Sourced from @grafana/data's changelog.
9.3.0-beta1 (2022-11-15) Features and enhancements Alerting: Add Alertmanager choice warning. #55311, @konrad147 Alerting: Add support for linking external images securely - Azure Blob (#1). #56598, @petr-stupka Alerting: Add threshold expression. #55102, @gillesdemey Alerting: Add traceability headers for alert queries. #57127, @alexweav Alerting: Allow none provenance alert rule creation from provisioning API. #58410, @alexmobo Alerting: Cache result of dashboard ID lookups. #56587, @alexweav Alerting: Expressions pipeline redesign. #54601, @gillesdemey Alerting: Fall back to "range" query type for unified alerting when "both" is specified. #57288, @gillesdemey Alerting: Implement the Webex notifier. #58480, @gotjosh Alerting: Improve group modal with validation on evaluation interval. #57830, @soniaAguilarPeiron Alerting: Persist annotations from multidimensional rules in batches. #56575, @alexweav Alerting: Query time logging. #57585, @konrad147 Alerting: Remove the alert manager selection from the data source configuration. #57369, @VikaCep Alerting: Remove the alert manager selection from the data source configuration. #56460, @gitstart Alerting: Support values in notification templates. #56457, @grobinson-grafana Alerting: Templated URLs for webhook type contact points. #57296, @santihernandezc Annotations: Disable "Add annotation" button when annotations are disabled. #57481, @ryantxu Auth: Add validation and ingestion of conflict file. #53014, @eleijonmarck Auth: Make built-in login configurable. #46978, @TsotosA Auth: Refresh OAuth access_token automatically using the refresh_token. #56076, @mgyongyosi Auth: Validate Azure ID token version on login is not v1. #58088, @Jguer BackendSrv: Make it possible to pass options to .get|post|patch... methods. #51316, @leventebalogh Canvas: Add tabs to inline editor. #57778, @adela-almasan Canvas: Extend root context menu. #58097, @adela-almasan Chore: Switch Grafana to using faro libraries. #58186, @tolzhabayev Chore: Use strings.ReplaceAll and preallocate containers. #58483, @sashamelentyev CloudWatch: Cache resource request responses in the browser. #57082, @sunker Config: Change jwt config value to be "expect_claims". #58284, @conorevans Configuration: Update ssl_mode documentation in sample.ini to match default.ini. #55138, @alecxvs Correlations: Add query editor and target field to settings page. #55567, @Elfo404 Dashboard: Record the number of cached queries for usage insights. #56050, @juanicabanas Dashboard: Record the number of cached queries for usage insights. (Enterprise) Datasources: Support mixed datasources in a single query. #56832, @mmandrus Docs: Add documentation for Custom Branding on Public Dashboards. #58090, @leandro-deveikis Docs: Add missing documentation for enterprise features. #56753, @mmandrus Docs: Clarify that audit logs are generated only for API requests. #57521, @spinillos Echo: Add config option to prevent duplicate page views for GA4. #57619, @tolzhabayev Elasticsearch: Add trace to logs functionality. #58063, @ivanahuckova Elasticsearch: Reuse http client in the backend. #55172, @gabor Explore: Add tracesToMetrics span time shift options (#54710). #55335, @hanjm Explore: Logs volume histogram: always start Y axis from zero. #56200, @gabor Explore: Remove explore2Dashboard feature toggle. #58329, @Elfo404 Explore: Support fields interpolation in logs panel. #58426, @ifrost Frontend Routing: Always render standalone plugin pages using the <AppRootPage>. #57771, @leventebalogh GRPC Server: Add gRPC server service. #47849, @FZambia Geomap: Add photo layer. #57307, @drew08t
@ifrost
<AppRootPage>
@FZambia
@drew08t
83bd572
028751a
4915d21
1c50390
261d620
159607f
PluginDetails
Page
008c554
93c1fbb
43436bd
eb3ee35
Updates @grafana/runtime from 7.5.11 to 9.3.0-beta1
@grafana/runtime
Sourced from @grafana/runtime's releases.
@grafana/runtime
Sourced from @grafana/runtime's changelog.
d33939d
b3c761a
PluginPage
228ec4c
5f5b352
10ee9f1
15b553c
@rollup/plugin-node-resolve
cf5f88c
@rollup/plugin-commonjs
915ebcf
Updates @grafana/ui from 7.5.11 to 9.3.0-beta1
@grafana/ui
Sourced from @grafana/ui's releases.
@grafana/ui
9.3.0-beta1 (2022-11-15) Download page What's new highlights Features and enhancements Alerting: Add Alertmanager choice warning. #55311, @konrad147 Alerting: Add support for linking external images securely - Azure Blob (#1). #56598, @petr-stupka Alerting: Add threshold expression. #55102, @gillesdemey Alerting: Add traceability headers for alert queries. #57127, @alexweav Alerting: Allow none provenance alert rule creation from provisioning API. #58410, @alexmobo Alerting: Cache result of dashboard ID lookups. #56587, @alexweav Alerting: Expressions pipeline redesign. #54601, @gillesdemey Alerting: Fall back to "range" query type for unified alerting when "both" is specified. #57288, @gillesdemey Alerting: Implement the Webex notifier. #58480, @gotjosh Alerting: Improve group modal with validation on evaluation interval. #57830, @soniaAguilarPeiron Alerting: Persist annotations from multidimensional rules in batches. #56575, @alexweav Alerting: Query time logging. #57585, @konrad147 Alerting: Remove the alert manager selection from the data source configuration. #57369, @VikaCep Alerting: Remove the alert manager selection from the data source configuration. #56460, @gitstart Alerting: Support values in notification templates. #56457, @grobinson-grafana Alerting: Templated URLs for webhook type contact points. #57296, @santihernandezc Annotations: Disable "Add annotation" button when annotations are disabled. #57481, @ryantxu Auth: Add validation and ingestion of conflict file. #53014, @eleijonmarck Auth: Make built-in login configurable. #46978, @TsotosA Auth: Refresh OAuth access_token automatically using the refresh_token. #56076, @mgyongyosi Auth: Validate Azure ID token version on login is not v1. #58088, @Jguer BackendSrv: Make it possible to pass options to .get|post|patch... methods. #51316, @leventebalogh Canvas: Add tabs to inline editor. #57778, @adela-almasan Canvas: Extend root context menu. #58097, @adela-almasan Chore: Switch Grafana to using faro libraries. #58186, @tolzhabayev Chore: Use strings.ReplaceAll and preallocate containers. #58483, @sashamelentyev CloudWatch: Cache resource request responses in the browser. #57082, @sunker Config: Change jwt config value to be "expect_claims". #58284, @conorevans Configuration: Update ssl_mode documentation in sample.ini to match default.ini. #55138, @alecxvs Correlations: Add query editor and target field to settings page. #55567, <... _Description has been truncated_
Bumps @braintree/sanitize-url to 6.0.1 and updates ancestor dependencies @braintree/sanitize-url, @grafana/data, @grafana/runtime and @grafana/ui. These dependencies need to be updated together.
Updates
@braintree/sanitize-url
from 4.0.0 to 6.0.1Changelog
Sourced from
@braintree/sanitize-url
's changelog.Commits
ab8d43d
6.0.1768e954
chore: update version in changelogd4bdc89
Fix html entity tab (#45)b70161d
chore: fix CHANGELOG formattingeb4a764
chore: update dev dependencies071dbfb
chore: update dependencies34fc643
6.0.05c0b288
chore: update version in changelog8f7371c
feat: decode html entities before sanitizing (#40)abff5b1
chore: update dev dependenciesMaintainer changes
This version was pushed to npm by braintree, a new releaser for
@braintree/sanitize-url
since your current version.Updates
@grafana/data
from 7.5.11 to 9.3.0-beta1Release notes
Sourced from
@grafana/data
's releases.... (truncated)
Changelog
Sourced from
@grafana/data
's changelog.... (truncated)
Commits
83bd572
Chore: Update version (#58750)028751a
Navigation: Add quick actions button (#58707)4915d21
OAuth: Feature toggle for access token expiration check and docs (#58179)1c50390
Prometheus: Make Prometheus streaming parser as default client (#58365)261d620
Elasticsearch: Add feature toggle for backend migration (#58585)159607f
Navigation: ConvertPluginDetails
page to use newPage
extensions (#58509)008c554
Echo: Add config option to prevent duplicate page views for GA4 (#57619)93c1fbb
Remove data comparison tool and feature flag (#58196)43436bd
Explore: Remove explore2Dashboard feature toggle (#58329)eb3ee35
Frontend Routing: Always render standalone plugin pages using the `<AppRootPa...Updates
@grafana/runtime
from 7.5.11 to 9.3.0-beta1Release notes
Sourced from
@grafana/runtime
's releases.... (truncated)
Changelog
Sourced from
@grafana/runtime
's changelog.... (truncated)
Commits
83bd572
Chore: Update version (#58750)d33939d
DataSourceWithBackend: Add plugin id to the request headers (#58082)008c554
Echo: Add config option to prevent duplicate page views for GA4 (#57619)b3c761a
Navigation: Expose new props to extendPage
/PluginPage
(#58465)228ec4c
Chore: Switch Grafana to using faro libraries (#58186)5f5b352
Update dependency rollup-plugin-dts to v5 (#58258)10ee9f1
Update dependency rollup-plugin-node-externals to v5 (#58259)15b553c
Update dependency@rollup/plugin-node-resolve
to v15 (#58130)cf5f88c
Update dependency@rollup/plugin-commonjs
to v23 (#58075)915ebcf
Search: Refactor state and logic to be less fragmented and spread out (#57973)Updates
@grafana/ui
from 7.5.11 to 9.3.0-beta1Release notes
Sourced from
@grafana/ui
's releases.