webteam-app
commented
3 years ago renovate[bot] is not a collaborator of the repo
Closed renovate[bot] closed 3 years ago
webteam-app
commented
3 years ago renovate[bot] is not a collaborator of the repo
codecov[bot]
commented
3 years ago Merging #139 (98d46d3) into master (cd449f6) will increase coverage by
3.45%. The diff coverage isn/a.
| Impacted Files | Coverage Δ | |
|---|---|---|
| webapp/app.py | 15.73% <0.00%> (+4.66%) |
:arrow_up: |
renovate[bot]
commented
3 years ago As this PR has been closed unmerged, Renovate will now ignore this update (==3.3.0). You will still receive a PR once a newer version is released, so if you wish to permanently ignore this dependency, please add it to the ignoreDeps array of your renovate config.
If this PR was closed by mistake or you changed your mind, you can simply rename this PR and you will soon get a fresh replacement PR opened.
This PR contains the following updates:
==3.2.1->==3.3.0GitHub Vulnerability Alerts
CVE-2021-23980
Impact
A mutation XSS affects users calling
bleach.cleanwith all of:svgormathin the allowed tagsporbrin allowed tagsstyle,title,noscript,script,textarea,noframes,iframe, orxmpin allowed tagsstrip_comments=FalseNote: none of the above tags are in the default allowed tags and
strip_commentsdefaults toTrue.Patches
Users are encouraged to upgrade to bleach v3.3.0 or greater.
Note: bleach v3.3.0 introduces a breaking change to escape HTML comments by default.
Workarounds
modify
bleach.cleancalls to at least one of:style,title,noscript,script,textarea,noframes,iframe, orxmptagsvgormathtagsporbrtagsstrip_comments=TrueA strong Content-Security-Policy without
unsafe-inlineandunsafe-evalscript-srcs) will also help mitigate the risk.References
Credits
For more information
If you have any questions or comments about this advisory:
Release Notes
mozilla/bleach
### [`v3.3.0`](https://togithub.com/mozilla/bleach/blob/master/CHANGES#Version-330-February-1st-2021) [Compare Source](https://togithub.com/mozilla/bleach/compare/v3.2.3...v3.3.0) **Backwards incompatible changes** - clean escapes HTML comments even when strip_comments=False **Security fixes** - Fix bug [`1621692`](https://togithub.com/mozilla/bleach/commit/1621692) / GHSA-m6xf-fq7q-8743. See the advisory for details. **Features** None **Bug fixes** None ### [`v3.2.3`](https://togithub.com/mozilla/bleach/blob/master/CHANGES#Version-323-January-26th-2021) [Compare Source](https://togithub.com/mozilla/bleach/compare/v3.2.2...v3.2.3) **Security fixes** None **Features** None **Bug fixes** - fix clean and linkify raising ValueErrors for certain inputs. Thank you [@Google-Autofuzz](https://togithub.com/Google-Autofuzz). ### [`v3.2.2`](https://togithub.com/mozilla/bleach/blob/master/CHANGES#Version-322-January-20th-2021) [Compare Source](https://togithub.com/mozilla/bleach/compare/v3.2.1...v3.2.2) **Security fixes** None **Features** - Migrate CI to Github Actions. Thank you [@hugovk](https://togithub.com/hugovk). **Bug fixes** - fix linkify raising an IndexError on certain inputs. Thank you [@Google-Autofuzz](https://togithub.com/Google-Autofuzz).Renovate configuration
:date: Schedule: "" (UTC).
:vertical_traffic_light: Automerge: Disabled by config. Please merge this manually once you are satisfied.
:recycle: Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
:no_bell: Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.