chaibio / chaipcr

The software behind Chai's open-source Real-Time PCR instrument
https://www.chaibio.com
88 stars 36 forks source link

Bump loofah from 2.1.1 to 2.3.0 in /web #23

Closed dependabot[bot] closed 5 years ago

dependabot[bot] commented 5 years ago

Bumps loofah from 2.1.1 to 2.3.0.

Release notes *Sourced from [loofah's releases](https://github.com/flavorjones/loofah/releases).* > ## 2.3.0 / 2019-09-28 > > ### Features > > * Expand set of allowed protocols to include `tel:` and `line:`. [#104, [#147](https://github-redirect.dependabot.com/flavorjones/loofah/issues/147)] > * Expand set of allowed CSS functions. [related to [#122](https://github-redirect.dependabot.com/flavorjones/loofah/issues/122)] > * Allow greater precision in shorthand CSS values. [#149](https://github-redirect.dependabot.com/flavorjones/loofah/issues/149) (Thanks, [@​danfstucky](https://github.com/danfstucky)!) > * Allow CSS property `list-style` [#162](https://github-redirect.dependabot.com/flavorjones/loofah/issues/162) (Thanks, [@​jaredbeck](https://github.com/jaredbeck)!) > * Allow CSS keywords `thick` and `thin` [#168](https://github-redirect.dependabot.com/flavorjones/loofah/issues/168) (Thanks, [@​georgeclaghorn](https://github.com/georgeclaghorn)!) > * Allow HTML property `contenteditable` [#167](https://github-redirect.dependabot.com/flavorjones/loofah/issues/167) (Thanks, [@​andreynering](https://github.com/andreynering)!) > > > ### Bug fixes > > * CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [#165](https://github-redirect.dependabot.com/flavorjones/loofah/issues/165) (Thanks, [@​asok](https://github.com/asok)!) > > > ### Deprecations / Name Changes > > The following method and constants are hereby deprecated, and will be completely removed in a future release: > > * Deprecate `Loofah::Helpers::ActionView.white_list_sanitizer`, please use `Loofah::Helpers::ActionView.safe_list_sanitizer` instead. > * Deprecate `Loofah::Helpers::ActionView::WhiteListSanitizer`, please use `Loofah::Helpers::ActionView::SafeListSanitizer` instead. > * Deprecate `Loofah::HTML5::WhiteList`, please use `Loofah::HTML5::SafeList` instead. > > Thanks to [@​JuanitoFatas](https://github.com/JuanitoFatas) for submitting these changes in [#164](https://github-redirect.dependabot.com/flavorjones/loofah/issues/164) and for making the language used in Loofah more inclusive. > > > > ## v2.2.3 > Notably, this release addresses [CVE-2018-16468](https://github-redirect.dependabot.com/flavorjones/loofah/issues/154). > > ## v2.2.2 > ## 2.2.2 / 2018-03-22 > > Make public `Loofah::HTML5::Scrub.force_correct_attribute_escaping!`, > which was previously a private method. This is so that downstream gems > (like rails-html-sanitizer) can use this logic directly for their own > attribute scrubbers should they need to address CVE-2018-8048. > > ## v2.2.1 > Notably, this release mitigates [CVE-2018-8048](https://github-redirect.dependabot.com/flavorjones/loofah/issues/144).
Changelog *Sourced from [loofah's changelog](https://github.com/flavorjones/loofah/blob/master/CHANGELOG.md).* > ## 2.3.0 / 2019-09-28 > > ### Features > > * Expand set of allowed protocols to include `tel:` and `line:`. [#104, [#147](https://github-redirect.dependabot.com/flavorjones/loofah/issues/147)] > * Expand set of allowed CSS functions. [related to [#122](https://github-redirect.dependabot.com/flavorjones/loofah/issues/122)] > * Allow greater precision in shorthand CSS values. [#149](https://github-redirect.dependabot.com/flavorjones/loofah/issues/149) (Thanks, [@​danfstucky](https://github.com/danfstucky)!) > * Allow CSS property `list-style` [#162](https://github-redirect.dependabot.com/flavorjones/loofah/issues/162) (Thanks, [@​jaredbeck](https://github.com/jaredbeck)!) > * Allow CSS keywords `thick` and `thin` [#168](https://github-redirect.dependabot.com/flavorjones/loofah/issues/168) (Thanks, [@​georgeclaghorn](https://github.com/georgeclaghorn)!) > * Allow HTML property `contenteditable` [#167](https://github-redirect.dependabot.com/flavorjones/loofah/issues/167) (Thanks, [@​andreynering](https://github.com/andreynering)!) > > > ### Bug fixes > > * CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [#165](https://github-redirect.dependabot.com/flavorjones/loofah/issues/165) (Thanks, [@​asok](https://github.com/asok)!) > > > ### Deprecations / Name Changes > > The following method and constants are hereby deprecated, and will be completely removed in a future release: > > * Deprecate `Loofah::Helpers::ActionView.white_list_sanitizer`, please use `Loofah::Helpers::ActionView.safe_list_sanitizer` instead. > * Deprecate `Loofah::Helpers::ActionView::WhiteListSanitizer`, please use `Loofah::Helpers::ActionView::SafeListSanitizer` instead. > * Deprecate `Loofah::HTML5::WhiteList`, please use `Loofah::HTML5::SafeList` instead. > > Thanks to [@​JuanitoFatas](https://github.com/JuanitoFatas) for submitting these changes in [#164](https://github-redirect.dependabot.com/flavorjones/loofah/issues/164) and for making the language used in Loofah more inclusive. > > > ## 2.2.3 / 2018-10-30 > > ### Security > > Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. > > This CVE's public notice is at [flavorjones/loofah#154](https://github-redirect.dependabot.com/flavorjones/loofah/issues/154) > > > ## Meta / 2018-10-27 > > The mailing list is now on Google Groups [#146](https://github-redirect.dependabot.com/flavorjones/loofah/issues/146): > > * Mail: loofah-talk@googlegroups.com > * Archive: https://groups.google.com/forum/#!forum/loofah-talk > > This change was made because librelist no longer appears to be maintained. > > > ## 2.2.2 / 2018-03-22 > > Make public `Loofah::HTML5::Scrub.force_correct_attribute_escaping!`, > ... (truncated)
Commits - [`f6d4c2d`](https://github.com/flavorjones/loofah/commit/f6d4c2d1b094e33848ed454f4a69f3c12cd44084) version bump to v2.3.0 - [`08fee8c`](https://github.com/flavorjones/loofah/commit/08fee8c85fb9e1c5a910491c1f5a8f8926a0600d) update dev deps - [`b68fc28`](https://github.com/flavorjones/loofah/commit/b68fc28c15e6919eafce1b92ef91af07a074e63c) update README to work with modern Hoe - [`69f5920`](https://github.com/flavorjones/loofah/commit/69f59209c865ec4fe70e81ae0e060c824f65233f) update Manifest - [`46daa07`](https://github.com/flavorjones/loofah/commit/46daa07c108f42906758efd88f9f0596e26efade) Merge branch 'jf.safelist' - [`775ab31`](https://github.com/flavorjones/loofah/commit/775ab313bad253c27640a1be61853b6899c3cbb0) formatting CHANGELOG - [`1372f43`](https://github.com/flavorjones/loofah/commit/1372f435ad9637b34be1cf26c513ef0685fdfb0e) Only call deprecate_constant if available - [`b078a0a`](https://github.com/flavorjones/loofah/commit/b078a0a377b6aa75985ac8a820d9070eae02460a) Use safelist consistently - [`7cda121`](https://github.com/flavorjones/loofah/commit/7cda1210a99721b4fa6fc0f659ac75f00bec6b11) Use safelist(s), allowlist(s) where applicable - [`6c5ff2d`](https://github.com/flavorjones/loofah/commit/6c5ff2d23d98f0263903f55ea1d49efc87731b5f) update CHANGELOG - Additional commits viewable in [compare view](https://github.com/flavorjones/loofah/compare/v2.1.1...v2.3.0)


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/chaibio/chaipcr/network/alerts).
dependabot[bot] commented 5 years ago

Superseded by #37.