pymedusa / Medusa

Automatic Video Library Manager for TV Shows. It watches for new episodes of your favorite shows, and when they are posted it does its magic.
https://pymedusa.com
GNU General Public License v3.0
1.81k stars 276 forks source link

Update JS dependency vue to v3 [SECURITY] #11865

Open renovate[bot] opened 4 weeks ago

renovate[bot] commented 4 weeks ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
vue (source) 2.7.16 -> 3.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-9506

The ReDoS can be exploited through the parseHTML function in the html-parser.ts file. This flaw allows attackers to slow down the application by providing specially crafted input that causes inefficient processing of regular expressions, leading to excessive resource consumption.

To demonstrate this vulnerability, here's an example. In a Vue client-side application, create a new Vue instance with a template string that includes a <script> tag but closes it incorrectly with something like </textarea>.

new Vue({
  el: '#app',
  template: '
    <div>
      Hello, world!
      <script>${'<'.repeat(1000000)}</textarea>
    </div>'
});

Next, set up a basic HTML page (e.g., index.html) to load this JavaScript and mount the Vue instance:

<!DOCTYPE html>
<html>
<head>
  <title>My first Vue app</title>
</head>
<body>
  <div id=\"app\">Loading...</div>
</body>
</html>

When you visit the app in your browser at http://localhost:3000, you'll notice that the time taken to parse and mount the Vue application increases significantly due to the ReDoS vulnerability, demonstrating how the flaw can affect performance.


Release Notes

vuejs/core (vue) ### [`v3.0.0`](https://redirect.github.com/vuejs/core/releases/tag/v3.0.0): One Piece

Today we are proud to announce the official release of Vue.js 3.0 "One Piece". This new major version of the framework provides improved performance, smaller bundle sizes, better TypeScript integration, new APIs for tackling large scale use cases, and a solid foundation for long-term future iterations of the framework. The 3.0 release represents over 2 years of development efforts, featuring [30+ RFCs](https://redirect.github.com/vuejs/rfcs/tree/master/active-rfcs), 2,600+ commits, [628 pull requests](https://redirect.github.com/vuejs/vue-next/pulls?q=is%3Apr+is%3Amerged+-author%3Aapp%2Fdependabot-preview+) from [99 contributors](https://redirect.github.com/vuejs/vue-next/graphs/contributors), plus tremendous amount of development and documentation work outside of the core repo. We would like to express our deepest gratitude towards our team members for taking on this challenge, our contributors for the pull requests, our [sponsors and backers](https://redirect.github.com/vuejs/vue/blob/dev/BACKERS.md) for the financial support, and the wider community for participating in our design discussions and providing feedback for the pre-release versions. Vue is an independent project created for the community and sustained by the community, and Vue 3.0 wouldn't have been possible without your consistent support. #### Taking the "Progressive Framework" Concept Further Vue had a simple mission from its humble beginning: to be an approachable framework that anyone can quickly learn. As our user base grew, the framework also grew in scope to adapt to the increasing demands. Over time, it evolved into what we call a "Progressive Framework": a framework that can be learned and adopted incrementally, while providing continued support as the user tackles more and more demanding scenarios. Today, with over 1.3 million users worldwide\*, we are seeing Vue being used in a wildly diverse range of scenarios, from sprinkling interactivity on traditional server-rendered pages, to full-blown single page applications with hundreds of components. Vue 3 takes this flexibility even further. ##### Layered internal modules Vue 3.0 core can still be used via a simple ` Githubissues.
  • Githubissues is a development platform for aggregating issues.