segiddins
commented
5 years ago @dependabot-bot merge
Closed dependabot-preview[bot] closed 5 years ago
segiddins
commented
5 years ago @dependabot-bot merge
dependabot-preview[bot]
commented
5 years ago Superseded by #20.
Bumps yard from 0.8.6.2 to 0.9.18. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/yard/CVE-2017-17042.yml).* > **Potential arbitrary file read vulnerability in yard server** > lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block > relative paths with an initial ../ sequence, which allows attackers to conduct > directory traversal attacks and read arbitrary files. > > Patched versions: >= 0.9.11 > Unaffected versions: noneRelease notes
*Sourced from [yard's releases](https://github.com/lsegal/yard/releases).* > ## v0.9.18 > No release notes provided. > > ## Release v0.9.17 > No release notes provided. > > ## Release v0.9.16 > No release notes provided. > > ## Release v0.9.15 > # [0.9.15] - July 17th, 2018 > > [0.9.15]: https://github.com/lsegal/yard/compare/v0.9.14...v0.9.15 > > - Fixed security issue in parsing of Ruby code that could allow for arbitrary > execution. Credit to Nelson ElhageChangelog
*Sourced from [yard's changelog](https://github.com/lsegal/yard/blob/master/CHANGELOG.md).* > # master > > # [0.9.16] - August 11th, 2018 > > [0.9.16]: https://github.com/lsegal/yard/compare/v0.9.15...v0.9.16 > > - Documentation fixes ([#1175](https://github-redirect.dependabot.com/lsegal/yard/issues/1175), [#1178](https://github-redirect.dependabot.com/lsegal/yard/issues/1178)). > - Fixed stack overflow issue when parsing extremely large lists ([#1176](https://github-redirect.dependabot.com/lsegal/yard/issues/1176)). > > # [0.9.15] - July 17th, 2018 > > [0.9.15]: https://github.com/lsegal/yard/compare/v0.9.14...v0.9.15 > > - Fixed security issue in parsing of Ruby code that could allow for arbitrary > execution. Credit to Nelson ElhageCommits
- [`589f525`](https://github.com/lsegal/yard/commit/589f5254f9d9768922ae8bb9be798c6df3bbec8d) Bump version to 0.9.18 - [`61d0ac2`](https://github.com/lsegal/yard/commit/61d0ac2985e399302ece0ef604f45e46ff671c0c) Make test_doc Windows friendly - [`5a41289`](https://github.com/lsegal/yard/commit/5a41289c509b5f42d1703fbd6699136785a5001c) Disable gems on Windows (fixes bundling for 64bit machines) - [`97e1346`](https://github.com/lsegal/yard/commit/97e1346689b52b18c511b63bb4c3db9d23832471) Merge pull request [#1210](https://github-redirect.dependabot.com/lsegal/yard/issues/1210) from larskanis/add-svg-to-image-filenames - [`47b7e82`](https://github.com/lsegal/yard/commit/47b7e820d41f0cce40dc0334fb739bf32431e1ed) Merge pull request [#1211](https://github-redirect.dependabot.com/lsegal/yard/issues/1211) from dduugg/fix-pcm-warn - [`ce80848`](https://github.com/lsegal/yard/commit/ce80848bc4ba42739936788641acbf553d1fd041) Merge pull request [#1212](https://github-redirect.dependabot.com/lsegal/yard/issues/1212) from castwide/file_singleton_methods - [`5699818`](https://github.com/lsegal/yard/commit/56998180b379c0161db180f943ae8101912cad7e) Fix frozen string modification in onefile template - [`6252ced`](https://github.com/lsegal/yard/commit/6252ced8b556ed6860e8839c8218eb4a04d8acb3) Include .rb files as part of default ext/ glob - [`7e9aa9d`](https://github.com/lsegal/yard/commit/7e9aa9db934e8b10b277df85900f0f84279157e0) Temporarily disable CI for Ruby 2.0/2.1 (Travis issues) - [`e2a520b`](https://github.com/lsegal/yard/commit/e2a520ba895baa60136ae3b8531499e7b718aad3) Fix rubocop formatting issues - Additional commits viewable in [compare view](https://github.com/lsegal/yard/compare/v0.8.6.2...v0.9.18)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot will merge this PR once CI passes on it, as requested by @segiddins.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.