dependabot-preview[bot]
commented
5 years ago Superseded by #26.
Closed dependabot-preview[bot] closed 5 years ago
dependabot-preview[bot]
commented
5 years ago Superseded by #26.
Bumps yard from 0.8.6.2 to 0.9.11. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/yard/CVE-2017-17042.yml).* > **Potential arbitrary file read vulnerability in yard server** > lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block > relative paths with an initial ../ sequence, which allows attackers to conduct > directory traversal attacks and read arbitrary files. > > Patched versions: >= 0.9.11 > Unaffected versions: noneRelease notes
*Sourced from [yard's releases](https://github.com/lsegal/yard/releases).* > ## Release v0.9.11 > [0.8.7.4]: https://github.com/lsegal/yard/compare/v0.8.7.3...v0.8.7.4 > > - Mark C methods as explicit but also remove explicit check in stats. ([#727](https://github-redirect.dependabot.com/lsegal/yard/issues/727)) > - Report unresolved parent namespaces as undocumentable errors instead. ([#753](https://github-redirect.dependabot.com/lsegal/yard/issues/753)) > - No longer ignore overridden methods from documentation check in stats ([#719](https://github-redirect.dependabot.com/lsegal/yard/issues/719)) > - Fix JRuby throwing exception when remove_method called on non-existent method. ([#732](https://github-redirect.dependabot.com/lsegal/yard/issues/732)) > - Add basic support for `private_class_method` ([#747](https://github-redirect.dependabot.com/lsegal/yard/issues/747)) > - Ensure namespace is always set when parent module is not found. ([#753](https://github-redirect.dependabot.com/lsegal/yard/issues/753)) > - Set overflow as auto on table of contents. > - Report 100% documented if nothing is undocumented. ([#754](https://github-redirect.dependabot.com/lsegal/yard/issues/754)) > - Added support for RubyGems 2.0.0+. ([#742](https://github-redirect.dependabot.com/lsegal/yard/issues/742)) > - Allow users to enter their own YARD RakeTask name. ([#705](https://github-redirect.dependabot.com/lsegal/yard/issues/705)) > - Fixed a typo that was causing Windows detection to always fail. ([#715](https://github-redirect.dependabot.com/lsegal/yard/issues/715)) > - Add debug information when loading a plugin fails. ([#711](https://github-redirect.dependabot.com/lsegal/yard/issues/711)) > > # [0.8.7.3] - November 1, 2013 > > [0.8.7.3]: https://github.com/lsegal/yard/compare/v0.8.7.2...v0.8.7.3 > > - Handle Unicode method/class/file names in server URL encoding (lsegal/rubydoc.info#69). > - Style keyword style hashes with same symbol color in code highlighting ([#707](https://github-redirect.dependabot.com/lsegal/yard/issues/707)). > - Fix broken JS when visiting docs in file:// scheme ([#706](https://github-redirect.dependabot.com/lsegal/yard/issues/706)). > - Add support for new AsciiDoc file extensions ([#704](https://github-redirect.dependabot.com/lsegal/yard/issues/704)). > - Fix issues where non-Ruby code blocks would not display in Ruby 2 ([#702](https://github-redirect.dependabot.com/lsegal/yard/issues/702)). > - Add support for extra Ruby 2 symbol types in Ripper ([#701](https://github-redirect.dependabot.com/lsegal/yard/issues/701)). > - Ensure config directory exists before saving config file ([#700](https://github-redirect.dependabot.com/lsegal/yard/issues/700)). > > # [0.8.7.2] - September 18, 2013 > > [0.8.7.2]: https://github.com/lsegal/yard/compare/v0.8.7.1...v0.8.7.2 > > - Disallow absolute URLs when using frame anchor support. > - Support casted functions in CRuby method declarations ([#697](https://github-redirect.dependabot.com/lsegal/yard/issues/697)) > > # [0.8.7.1] - September 11, 2013 > > [0.8.7.1]: https://github.com/lsegal/yard/compare/v0.8.7...v0.8.7.1 > > - Fix potential XSS issue with frame anchor support. > - Add support for gettext 3.x gem. > > # [0.8.7] - July 26, 2013 > > [0.8.7]: https://github.com/lsegal/yard/compare/v0.8.6.2...v0.8.7 > > - Added `--hide-api API` option to hide objects with a given `@api` tag ([#685](https://github-redirect.dependabot.com/lsegal/yard/issues/685)). > - Added "Returns ...." prefix to summary when a lone [@return](https://github.com/return) tag is used. > - Fixed issue that caused ref tags to be added to a docstring twice ([#678](https://github-redirect.dependabot.com/lsegal/yard/issues/678)). > - Fixed formatting issue in docstring summaries ([#686](https://github-redirect.dependabot.com/lsegal/yard/issues/686)) > ... (truncated)Changelog
*Sourced from [yard's changelog](https://github.com/lsegal/yard/blob/master/CHANGELOG.md).* > # [0.9.11] - November 23rd, 2017 > > [0.9.11]: https://github.com/lsegal/yard/compare/v0.9.10...v0.9.11 > > - Fixed security issue in `--readme` that allowed for arbitrary file reads on > disk. Credit to ztzCommits
- [`7748eda`](https://github.com/lsegal/yard/commit/7748eda4b96817b0b9ebd7efffbd32d510829393) Tag release v0.9.11 - [`3bcccf6`](https://github.com/lsegal/yard/commit/3bcccf678040e827f706b8305456424aa83f6471) Fix broken tests - [`10e84bd`](https://github.com/lsegal/yard/commit/10e84bdd075e097c98d743047adf913d9d7480e8) Update changelog - [`b0217b3`](https://github.com/lsegal/yard/commit/b0217b3e30dc53d057b1682506333335975e62b4) Disallow relative paths that start with ../ - [`bd56c5d`](https://github.com/lsegal/yard/commit/bd56c5d1dc6f8e332ecfe6cd90dbf2e3f0be89f2) Merge pull request [#1142](https://github-redirect.dependabot.com/lsegal/yard/issues/1142) from noraj1337/patch-1 - [`cb1ddd7`](https://github.com/lsegal/yard/commit/cb1ddd79cdc1e61fa55d49555d1516bbbc7a4e3c) Merge pull request [#1143](https://github-redirect.dependabot.com/lsegal/yard/issues/1143) from noraj1337/patch-2 - [`6aecb55`](https://github.com/lsegal/yard/commit/6aecb5551b7444c9df00c0eb9860f9a34bdeea24) fix typo - [`fd3dff0`](https://github.com/lsegal/yard/commit/fd3dff03615ddf8e4dda321f62d90153c168de9b) fix typo and 80 char line - [`bac35d8`](https://github.com/lsegal/yard/commit/bac35d8c2883925e11108e92e3054edd41b9eba2) add an easy way to find yard plugins - [`cedc0a5`](https://github.com/lsegal/yard/commit/cedc0a5a80403ed4f7462cbf81fec72bbae55fe3) css fix for inline code - Additional commits viewable in [compare view](https://github.com/lsegal/yard/compare/v0.8.6.2...v0.9.11)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.