🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
Using carefully crafted input, an attacker may be able to sneak
arbitrary HTML and CSS through Sanitize >= 3.0.0, < 6.0.2 when
Sanitize is configured to use the built-in "relaxed" config or
when using a custom config that allows style elements and one
or more CSS at-rules. This could result in XSS (cross-site scripting)
or other undesired behavior when the malicious HTML and CSS are
rendered in a browser.
Patches
Sanitize >= 6.0.2 performs additional escaping of CSS in style
element content, which fixes this issue.
Workarounds
Users who are unable to upgrade can prevent this issue by using a
Sanitize config that doesn't allow style elements, using a Sanitize
config that doesn't allow CSS at-rules, or by manually escaping the
character sequence </ as <\/ in style element content.
Credit
This issue was found by @cure53 during an audit of a project that
uses Sanitize and was reported by one of that project's maintainers.
Thank you!
CVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS (cross-site scripting). This issue affects Sanitize versions 3.0.0 through 6.0.1.
When using Sanitize's relaxed config or a custom config that allows <style> elements and one or more CSS at-rules, carefully crafted input could be used to sneak arbitrary HTML through Sanitize.
See the following security advisory for additional details: GHSA-f5ww-cq3m-q3g7
New methods #lib_path and #include_path which point at the installed directories under ports. (by @flavorjones)
Add config param for CMAKE_BUILD_TYPE, which now defaults to Release. (#136 by @Watson1978)
Experimental
Introduce experimental support for MiniPortile#mkmf_config which sets up MakeMakefile variables to properly link against the recipe. This should make it easier for C extensions to package third-party libraries. (by @flavorjones)
With no arguments, will set up just $INCFLAGS, $libs, and $LIBPATH.
Optionally, if provided a pkg-config file, will use that config to more precisely set $INCFLAGS, $libs, $LIBPATH, and $CFLAGS/$CXXFLAGS.
Optionally, if provided the name of a static archive, will rewrite linker flags to ensure correct linkage.
Note that the behavior may change slightly before official support is announced. Please comment on #118 if you have feedback.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu cancel merge
Cancels automatic merging of this PR
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
yoldas
commented
11 months ago
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
↗️ sanitize (indirect, 6.0.1 → 6.0.2) · Repo · Changelog
Security Advisories 🚨
🚨 Sanitize vulnerable to Cross-site Scripting via insufficient neutralization of `style` element content
Release Notes
6.0.2
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 4 commits:
Merge pull request from GHSA-f5ww-cq3m-q3g7Release 6.0.2Update historyEscape `</` to prevent a style element from being closed prematurely↗️ mini_portile2 (indirect, 2.8.4 → 2.8.5) · Repo · Changelog
Release Notes
2.8.5
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 24 commits:
version bump to 2.8.5doc: update README with cmake_build_type documentationMerge pull request #137 from flavorjones/flavorjones-update-gemspecdev: gemspec has better desc and uses require_relativeMerge pull request #136 from Watson1978/release-buildAdd config param for CMAKE_BUILD_TYPECreate release binary with cmake explicitlyMerge pull request #135 from amatsuda/warningwarning: method redefined; discarding old source_directory=version bump to v2.8.5.rc2Merge pull request #134 from flavorjones/flavorjones-improve-mkmf-config-20230917introduce the "static" parameter to mkmf_configextract `lib_path` and `include_path` methodsversion bump to v2.8.5.rc1Merge pull request #133 from flavorjones/flavorjones-more-precise-pkg-configfeat: more precise implementation of mkmf_config for pkg-configversion bump to v2.9.0.rc1Merge pull request #131 from flavorjones/118-fedora-pkgconffeat: introduce MiniPortile.mkmf_configtest: add an example that uses MakeMakefile.pkg_configci: add a fedora job to the test suitetest: backfill coverage for MiniPortile#activateMerge pull request #132 from flavorjones/flavorjones-uninitialized-ivar-warningsfix: avoid uninitialized ivar warnings↗️ nokogiri (indirect, 1.15.4 → 1.15.5) · Repo · Changelog
Release Notes
1.15.5
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 7 commits:
version bump to v1.15.5ci: add ruby version to vendored libs cache key (backport) (#3029)ci: add ruby version to vendored libs cache key (#3028)dep: update libxml to 2.11.5 and libxslt to 1.1.39 (v1.15.x) (#3025)ci: skip the BSD builds for nowdep: update libxml to 2.11.5 and libxslt to 1.1.39doc(fix): correct :nodoc:↗️ racc (indirect, 1.7.1 → 1.7.3) · Repo · Changelog
Release Notes
1.7.3
1.7.2
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 67 commits:
Merge pull request #254 from yui-knk/v1.7.3Bump up v1.7.3Merge pull request #253 from yui-knk/add_dependency'lib/racc/parser-text.rb' depends on 'lib/racc/info.rb'Merge pull request #252 from yui-knk/fix_doc_expect_paramFix locations of `expect` param in docsMerge pull request #251 from yui-knk/v1.7.3.pre.1Bump up v1.7.3.pre.1Merge pull request #250 from yui-knk/test_rake_compile_buildCheck `rake build` on CIMerge pull request #249 from yui-knk/always_run_ciMerge pull request #248 from nobu/srcsMake CI runnable for any pushAdd `srcs` target to prepare to buildMake reproducibleMerge pull request #247 from nobu/bumpUpdate test-unit-ruby-core for ruby 2.5Prepare 1.7.3Add recipe to update RACC_VERSION in Cparse.javaMerge pull request #246 from nobu/jruby-extdirFix jar file pathMerge pull request #245 from nobu/ruby-testFix for dummy rake/extensiontask.rb at ruby test-bundled-gemsMerge pull request #244 from nobu/cruby-extExclude CRuby extension from JRuby gemMerge pull request #239 from yui-knk/v1.7.2Merge pull request #243 from nobu/protoizeUse prototype declarationsBump up v1.7.2Merge pull request #241 from nobu/info_versionMerge pull request #242 from nobu/manifest[DOC] Update release flowRemove MANIFEST which was used by ancient extmk.rbExtract Racc::VERSION from racc/info.rb at extconf.rbMerge pull request #240 from nobu/old-checksRemove fallback codeRemove old checksRename CI file since it is not only Ubuntu now [ci skip]Merge pull request #238 from makenowjust/typosFix tiny typosMerge pull request #237 from yui-knk/remove_install_guide_via_setup_rbRemove install guide by setup.rbMerge pull request #236 from nobu/bump-upStart 1.7.2Update `Gem::Specification#files`Merge pull request #235 from yui-knk/readme_release-flowAdd "Release flow" to README.rdocMerge pull request #234 from yui-knk/fix_typoFix a typoMerge pull request #232 from ruby/dependabot/github_actions/actions/checkout-4Bump actions/checkout from 3 to 4Merge pull request #231 from yui-knk/embed_grammar_file_name_into_generated_fileEmbed grammar file name into generated fileMerge pull request #230 from nobu/embedded-pragmasRemove frozen_string_literal pragmas from embedded runtime filesStop littering platform-independent directory with platform-dependent bianriesMerge pull request #229 from ruby/flavorjones-pin-dev-dependenciesdep: pin development dependencies, and enable dependabot for gemsMerge pull request #228 from ruby/flavorjones-work-around-rake-compiler-ruby-2.5Update development dependency to avoid ruby 2.5 failuresMerge pull request #225 from zenspider/zenspider/frozen_string_literalsMerge pull request #226 from zenspider/zenspider/newlineRemove NEWS files since they've not been updated in quite some timeAdd --frozen to add frozen_string_literals to top of generated files.Remove leading newline from on_error exception messages.Merge pull request #224 from jwillemsen/patch-4Update parser.rb, fixed typoDepfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands