Closed dependabot-preview[bot] closed 5 years ago
Deploy preview for mesg-marketplace ready!
Built with commit 2619ef6cf088c35674bac12dad60f850e02ab941
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version
or @dependabot ignore this minor version
.
If you change your mind, just re-open this PR and I'll resolve any conflicts on it.
Bumps remarkable from 1.7.1 to 1.7.2. This update includes security fixes.
Vulnerabilities fixed
*Sourced from The GitHub Security Advisory Database.* > **High severity vulnerability that affects remarkable** > lib/common/html_re.js in remarkable 1.7.1 allows Regular Expression Denial of Service (ReDoS) via a CDATA section. > > Affected versions: <= 1.7.1 *Sourced from The GitHub Security Advisory Database.* > **Moderate severity vulnerability that affects remarkable** > In remarkable 1.7.1, lib/parser_inline.js mishandles URL filtering, which allows attackers to trigger XSS via unprintable characters, as demonstrated by a \x0ejavascript: URL. > > Affected versions: <= 1.7.1Commits
- [`aaa807a`](https://github.com/jonschlinkert/remarkable/commit/aaa807a67a866ff06aa853c28d97e4b7b601ece1) v1.7.2 - [`287dfbf`](https://github.com/jonschlinkert/remarkable/commit/287dfbf22e70790c8b709ae37a5be0523597673c) Prevent a ReDoS vulnerability ([#335](https://github-redirect.dependabot.com/jonschlinkert/remarkable/issues/335)) - [`49e87b7`](https://github.com/jonschlinkert/remarkable/commit/49e87b7ae2dc323d83606792a749fb207595249e) fix: disallow ascii control characters in URLs ([#334](https://github-redirect.dependabot.com/jonschlinkert/remarkable/issues/334)) - [`232a554`](https://github.com/jonschlinkert/remarkable/commit/232a5547a843487529ef9f5b665aa6e238b8e75a) Merge pull request [#345](https://github-redirect.dependabot.com/jonschlinkert/remarkable/issues/345) from TrySound/coverage - [`fb7bc09`](https://github.com/jonschlinkert/remarkable/commit/fb7bc09d3df921cbec4cf65b8afcaaa0172187df) Enable coverage via nyc - [`dfb3c4b`](https://github.com/jonschlinkert/remarkable/commit/dfb3c4b1ef37eec4a988f3f16b152fbdf776a26c) Delete FUNDING.yml - [`4c93bde`](https://github.com/jonschlinkert/remarkable/commit/4c93bde557dc223d2b90f5f37782ed1603d38969) Create FUNDING.yml - [`1c5b5b7`](https://github.com/jonschlinkert/remarkable/commit/1c5b5b76bc7ca0e8ce7046e6ea627617b5293cc6) Merge pull request [#290](https://github-redirect.dependabot.com/jonschlinkert/remarkable/issues/290) from curtisgibby/patch-1 - [`acf893f`](https://github.com/jonschlinkert/remarkable/commit/acf893ff1b6fab699b09a0c1b9ec44bad54a1c1e) Merge pull request [#288](https://github-redirect.dependabot.com/jonschlinkert/remarkable/issues/288) from andrewbranch/patch-1 - [`55e2917`](https://github.com/jonschlinkert/remarkable/commit/55e29172d45323fe325b1e016de5b4b31f179199) Merge pull request [#280](https://github-redirect.dependabot.com/jonschlinkert/remarkable/issues/280) from LukasDrgon/patch-1 - Additional commits viewable in [compare view](https://github.com/jonschlinkert/remarkable/compare/1.7.1...v1.7.2)Maintainer changes
This version was pushed to npm by [trysound](https://www.npmjs.com/~trysound), a new releaser for remarkable since your current version.Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it). To ignore the version in this PR you can just close it - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.