search

networknt / microservices-framework-benchmark

Raw benchmarks on throughput, latency and transfer of Hello World on popular microservices frameworks
MIT License
705 stars 127 forks source link

Bump ratpack-core from 1.4.4 to 1.7.6 in /ratpack #59

Closed dependabot[bot] closed 4 years ago

dependabot[bot] commented 4 years ago

Bumps ratpack-core from 1.4.4 to 1.7.6.

Release notes *Sourced from [ratpack-core's releases](https://github.com/ratpack/ratpack/releases).* > ## v1.7.6 > This release includes a fix for a security vulnerability. This upgrade is recommended for all Ratpack users. > > Versions of Ratpack 0.9.10 through and including 1.7.5 are vulnerable to [CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')](https://cwe.mitre.org/data/definitions/79.html) (aka. XSS), > in the development error handler. An attacker can utilize this to perform XSS when an exception message contains untrusted data. > > This vulnerability only exists in the handler that renders an internal server error as a readable HTML page which is activates when Ratpack is running in _development_ mode. This mode is only activate by user request (i.e. setting `development(true)` in the `ServerConfig`, setting `RATPACK_DEVELOPMENT=true` in the environment), or when Ratpack detects it is running in an IDE (i.e. IntelliJ), being run by the Groovy shell, or attached to a debugger. By default, Ratpack sets `development(false)` when packaged as a Jar. > > Users should verify that they are not running Ratpack with development mode activated in production environments. > > We would like to thank [Jonathan Leitschuh](https://github.com/JLLeitschuh) for reporting this vulnerability. > > Please see the [security advisory for this issue](https://github.com/ratpack/ratpack/security/advisories/GHSA-r2wf-q3x4-hrv9) for more information. > > ## v1.7.5 > This release includes several minor bug fixes, and a fix for a security vulnerability. This upgrade is recommended for everyone using 1.7.x. > > Versions of Ratpack 0.9.1 through and including 1.7.4 are vulnerable to [HTTP Response Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting), > if untrusted and unsanitized data is used to populate the headers of a HTTP response. > An attacker can utilize this vulnerability to have the server issue any HTTP response they specify. > > If your application uses arbitrary user input as the value of a response header it is vulnerable. > If your application does not use arbitrary values as response header values, it is not vulnerable. > > Previously, Ratpack did not validate response header values. > Now, adding a header value that contains the header value termination characters produces a runtime exception. > As there is no mechanism for escaping or encoding the termination characters in a value, a runtime exception is necessary. > > As potentially dangerous values now cause runtime exceptions, > it is a good idea to continue to validate and sanitize any user supplied values being used as response headers. > > We would like to thank [Jonathan Leitschuh](https://github.com/JLLeitschuh) for reporting this vulnerability. > > Please see the [security advisory for this issue](https://github.com/ratpack/ratpack/security/advisories/GHSA-mvqp-q37c-wf9j) for more information. > > ## v1.7.4 > This release includes a fix for using Gradle's continuous build functionality when running on Java 9 or later. This upgrade is recommended for everyone using 1.7.x. > > ## v1.7.3 > This release includes a fix for `HttpClient` idle timeout that was introduced in Ratpack 1.7.0. Specifically, this timeout was incorrectly applying to in-use HTTP connections from the pool that were idle waiting for a server response. This fixes this behavior and clarifies that `idleTimeout` applies only to connections that are not currently acquired from the pool. This upgrade is recommended for everyone using 1.7.x. > > ## v1.7.2 > This release includes a fix for a regression introduced in 1.7.0 that resulted in double URL encoded query parameters in redirect responses. Please see the issue list below for details. This upgrade is recommended for everyone using 1.7.x. > > ## v1.7.1 > Ratpack 1.7.1 is now available! > This patch release fixes a bug with idle connection timeouts for Ratpack's `HttpClient` (introduced in `1.7.0`) which prevented timeouts larger than 1 second to be specified. > No other changes were introduced. > > -- > ... (truncated)
Commits - [`ab1e96d`](https://github.com/ratpack/ratpack/commit/ab1e96d83c9c24c4358f4442f34ed5a83a167ea2) Version 1.7.6 - [`3cd6c38`](https://github.com/ratpack/ratpack/commit/3cd6c388d6da2dade8b85d1c463a4de51046b4b1) Fix the jruby/compass issues with the shutdown of torquebox. - [`00ca7f2`](https://github.com/ratpack/ratpack/commit/00ca7f275bb0f73ac88a1029d81b7a770069f4cf) chore: fix formatting in spec - [`c1d4357`](https://github.com/ratpack/ratpack/commit/c1d4357bbc4bceb24abb156fbb471257a0177eb6) Escape user input rendered to the response in the development error handler. - [`32617ce`](https://github.com/ratpack/ratpack/commit/32617ce7fce68a0f8571eae6820351233292102f) Use zip64 for the site JAR - [`06be2e8`](https://github.com/ratpack/ratpack/commit/06be2e8fc8bce8c2751527ddd6023afb0362bfd4) Use zip64 for the site JAR - [`000b33c`](https://github.com/ratpack/ratpack/commit/000b33c559ecfb4b9c2517093b7455787c043098) Use zip64 for the site JAR - [`04800b2`](https://github.com/ratpack/ratpack/commit/04800b2900b8bb6e1a37ebcfa66ee3f40e888ada) Begin version 1.7.6 - [`02f8e6b`](https://github.com/ratpack/ratpack/commit/02f8e6b9076eab03e9227b3ccbbdee952355f7b9) Version 1.7.5 - [`2a41e57`](https://github.com/ratpack/ratpack/commit/2a41e57af534e574f95464130076415700527b56) Fix race conditions in CachingUpstream - Additional commits viewable in [compare view](https://github.com/ratpack/ratpack/compare/v1.4.4...v1.7.6)


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/networknt/microservices-framework-benchmark/network/alerts).