alphagov / accessibility-personas

Experience the web as personas with access needs
https://alphagov.github.io/accessibility-personas/
MIT License
25 stars 6 forks source link

[Security] Bump rexml from 3.2.4 to 3.2.5 #61

Closed dependabot-preview[bot] closed 1 year ago

dependabot-preview[bot] commented 3 years ago

Bumps rexml from 3.2.4 to 3.2.5. This update includes a security fix.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

XML round-trip vulnerability in REXML When parsing and serializing a crafted XML document, REXML gem (including the one bundled with Ruby) can create a wrong XML document whose structure is different from the original one.

Patched versions: >= 3.2.5 Unaffected versions: none

Changelog

Sourced from rexml's changelog.

3.2.5 - 2021-04-05 {#version-3-2-5}

Improvements

  • Add more validations to XPath parser.

  • require "rexml/docuemnt" by default. [GitHub#36][Patch by Koichi ITO]

  • Don't add #dcloe method to core classes globally. [GitHub#37][Patch by Akira Matsuda]

  • Add more documentations. [Patch by Burdette Lamar]

  • Added REXML::Elements#parent. [GitHub#52][Patch by Burdette Lamar]

Fixes

Thanks

  • Koichi ITO

  • Akira Matsuda

  • Burdette Lamar

  • Juho Nurminen

Commits
  • a622645 Add 3.2.5 entry
  • 3c137eb Fix a parser bug that some data may be ignored before DOCTYPE
  • 9b311e5 Fix a bug that invalid document declaration may be accepted
  • f9d88e4 Fix a bug that invalid document declaration may be generated
  • f7bab89 Fix a bug that invalid element end may be accepted
  • 6a250d2 Fix a bug that invalid element start may be accepted
  • 2fe62e2 Fix a bug that invalid notation declaration may be accepted
  • a659c63 Fix a bug that invalid notation declaration may be generated
  • 790dd11 Use ruby/setup-ruby (#66)
  • eda1b20 Clean up and enhance high-level RDoc (#65)
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)
selfthinker commented 1 year ago

I believe this was fixed by #90 and not closed by dependabot again afterwards because of its belated upgrade in #62.