Changelog
*Sourced from [secure_headers's changelog](https://github.com/twitter/secure_headers/blob/master/CHANGELOG.md).*
> ## 6.3.0
>
> Fixes newline injection issue
>
> ## 6.2.0
>
> Fixes semicolon injection issue reported by [@mvgijssel](https://github.com/mvgijssel) see [twitter/secure_headers#418](https://github-redirect.dependabot.com/twitter/secure_headers/issues/418)
>
> ## 6.1.2
>
> Adds the ability to specify `SameSite=none` with the same configurability as `Strict`/`Lax` in order to disable Chrome's soon-to-be-lax-by-default state.
>
> ## 6.1.1
>
> Adds the ability to disable the automatically-appended `'unsafe-inline'` value when nonces are used [#404](https://github-redirect.dependabot.com/twitter/secureheaders/issues/404) ([@will](https://github.com/will))
>
> ## 6.1
>
> Adds support for navigate-to, prefetch-src, and require-sri-for [#395](https://github-redirect.dependabot.com/twitter/secureheaders/issues/395)
>
> NOTE: this version is a breaking change due to the removal of HPKP. Remove the HPKP config, the standard is dead. Apologies for not doing a proper deprecate/major rev cycle :pray:
>
> ## 6.0
>
> - See the [upgrading to 6.0](https://github.com/twitter/secure_headers/blob/master/docs/upgrading-to-6-0.md) guide for the breaking changes.
>
> ## 5.0.5
>
> - A release to deprecate `SecureHeaders::Configuration#get` in prep for 6.x
>
> ## 5.0.4
>
> - Adds support for `nonced_stylesheet_pack_tag` [#373](https://github-redirect.dependabot.com/twitter/secureheaders/issues/373) ([@paulfri](https://github.com/paulfri))
>
> ## 5.0.3
>
> - Add nonced versions of Rails link/include tags [#372](https://github-redirect.dependabot.com/twitter/secureheaders/issues/372) ([@steveh](https://github.com/steveh))
>
> ## 5.0.2
>
> - Updates `Referrer-Policy` header to support multiple policy values
>
> ## 5.0.1
>
> - Updates `Expect-CT` header to use a comma separator between directives, as specified in the most current spec.
>
> ## 5.0.0
>
> Well this is a little embarassing. 4.0 was supposed to set the secure/httponly/samesite=lax attributes on cookies by default but it didn't. Now it does. - See the [upgrading to 5.0](https://github.com/twitter/secure_headers/blob/master/docs/upgrading-to-5-0.md) guide.
>
> ... (truncated)
Commits
- [`722a690`](https://github.com/twitter/secure_headers/commit/722a69051acce9d26ab0d0648fe10fd2ff77baa8) bump to 6.3
- [`3016957`](https://github.com/twitter/secure_headers/commit/301695706f6a70517c2a90c6ef9b32178440a2d0) Merge pull request from GHSA-w978-rmpf-qmwg
- [`3a2b548`](https://github.com/twitter/secure_headers/commit/3a2b548223de854ab9768ae07acedfcd2ac211e3) Filter and warn on newlines
- [`1298905`](https://github.com/twitter/secure_headers/commit/1298905068931621a2c1988b175a1da186bcd641) bump to 6.2
- [`6e38cb4`](https://github.com/twitter/secure_headers/commit/6e38cb41d2918d85e9a9e31a6489e99809c840ad) Merge pull request [#419](https://github-redirect.dependabot.com/twitter/secureheaders/issues/419) from twitter/escape-semi-colons
- [`eed6c16`](https://github.com/twitter/secure_headers/commit/eed6c1606feaa874ba53b2ba0e2405accd8d1105) lint
- [`3c4b86e`](https://github.com/twitter/secure_headers/commit/3c4b86edd6745275da22d92290872da202d73e64) escape semicolons by replacing them with spaces
- [`2068ba7`](https://github.com/twitter/secure_headers/commit/2068ba7bb63fb98786db828091cb52304bcae560) clean up some warnings
- [`86c762a`](https://github.com/twitter/secure_headers/commit/86c762aea480d0a776246652586f93e026f6799f) Remove outdated APL license blurb from readme, use only the LICENSE file
- [`902041b`](https://github.com/twitter/secure_headers/commit/902041bab6b3e7c29644f49d6dd0ef75b9c5bbb0) Do years even matter?
- Additional commits viewable in [compare view](https://github.com/twitter/secureheaders/compare/v3.6.5...v6.3.0)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/fyiorgnz/alaveteli/network/alerts).
Bumps secure_headers from 3.6.5 to 6.3.0.
Changelog
*Sourced from [secure_headers's changelog](https://github.com/twitter/secure_headers/blob/master/CHANGELOG.md).* > ## 6.3.0 > > Fixes newline injection issue > > ## 6.2.0 > > Fixes semicolon injection issue reported by [@mvgijssel](https://github.com/mvgijssel) see [twitter/secure_headers#418](https://github-redirect.dependabot.com/twitter/secure_headers/issues/418) > > ## 6.1.2 > > Adds the ability to specify `SameSite=none` with the same configurability as `Strict`/`Lax` in order to disable Chrome's soon-to-be-lax-by-default state. > > ## 6.1.1 > > Adds the ability to disable the automatically-appended `'unsafe-inline'` value when nonces are used [#404](https://github-redirect.dependabot.com/twitter/secureheaders/issues/404) ([@will](https://github.com/will)) > > ## 6.1 > > Adds support for navigate-to, prefetch-src, and require-sri-for [#395](https://github-redirect.dependabot.com/twitter/secureheaders/issues/395) > > NOTE: this version is a breaking change due to the removal of HPKP. Remove the HPKP config, the standard is dead. Apologies for not doing a proper deprecate/major rev cycle :pray: > > ## 6.0 > > - See the [upgrading to 6.0](https://github.com/twitter/secure_headers/blob/master/docs/upgrading-to-6-0.md) guide for the breaking changes. > > ## 5.0.5 > > - A release to deprecate `SecureHeaders::Configuration#get` in prep for 6.x > > ## 5.0.4 > > - Adds support for `nonced_stylesheet_pack_tag` [#373](https://github-redirect.dependabot.com/twitter/secureheaders/issues/373) ([@paulfri](https://github.com/paulfri)) > > ## 5.0.3 > > - Add nonced versions of Rails link/include tags [#372](https://github-redirect.dependabot.com/twitter/secureheaders/issues/372) ([@steveh](https://github.com/steveh)) > > ## 5.0.2 > > - Updates `Referrer-Policy` header to support multiple policy values > > ## 5.0.1 > > - Updates `Expect-CT` header to use a comma separator between directives, as specified in the most current spec. > > ## 5.0.0 > > Well this is a little embarassing. 4.0 was supposed to set the secure/httponly/samesite=lax attributes on cookies by default but it didn't. Now it does. - See the [upgrading to 5.0](https://github.com/twitter/secure_headers/blob/master/docs/upgrading-to-5-0.md) guide. > > ... (truncated)Commits
- [`722a690`](https://github.com/twitter/secure_headers/commit/722a69051acce9d26ab0d0648fe10fd2ff77baa8) bump to 6.3 - [`3016957`](https://github.com/twitter/secure_headers/commit/301695706f6a70517c2a90c6ef9b32178440a2d0) Merge pull request from GHSA-w978-rmpf-qmwg - [`3a2b548`](https://github.com/twitter/secure_headers/commit/3a2b548223de854ab9768ae07acedfcd2ac211e3) Filter and warn on newlines - [`1298905`](https://github.com/twitter/secure_headers/commit/1298905068931621a2c1988b175a1da186bcd641) bump to 6.2 - [`6e38cb4`](https://github.com/twitter/secure_headers/commit/6e38cb41d2918d85e9a9e31a6489e99809c840ad) Merge pull request [#419](https://github-redirect.dependabot.com/twitter/secureheaders/issues/419) from twitter/escape-semi-colons - [`eed6c16`](https://github.com/twitter/secure_headers/commit/eed6c1606feaa874ba53b2ba0e2405accd8d1105) lint - [`3c4b86e`](https://github.com/twitter/secure_headers/commit/3c4b86edd6745275da22d92290872da202d73e64) escape semicolons by replacing them with spaces - [`2068ba7`](https://github.com/twitter/secure_headers/commit/2068ba7bb63fb98786db828091cb52304bcae560) clean up some warnings - [`86c762a`](https://github.com/twitter/secure_headers/commit/86c762aea480d0a776246652586f93e026f6799f) Remove outdated APL license blurb from readme, use only the LICENSE file - [`902041b`](https://github.com/twitter/secure_headers/commit/902041bab6b3e7c29644f49d6dd0ef75b9c5bbb0) Do years even matter? - Additional commits viewable in [compare view](https://github.com/twitter/secureheaders/compare/v3.6.5...v6.3.0)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/fyiorgnz/alaveteli/network/alerts).