Bumps jquery-rails from 3.1.2 to 3.1.5. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2015-1840.yml).*
> **CSRF Vulnerability in jquery-rails**
> In the scenario where an attacker might be able to control the href attribute
> of an anchor tag or the action attribute of a form tag that will trigger a
> POST action, the attacker can set the href or action to
> " https://attacker.com" (note the leading space) that will be passed to
> JQuery, who will see this as a same origin request, and send the user's CSRF
> token to the attacker domain.
>
> To work around this problem, change code that allows users to control the
> href attribute of an anchor tag or the action attribute of a form tag to
> filter the user parameters.
> ... (truncated)
>
> Patched versions: [">= 4.0.4", "~> 3.1.3"]
> Unaffected versions: []
Changelog
*Sourced from jquery-rails's [changelog](https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md).*
> ## 4.3.3
>
> - update jquery to 3.3.1
>
> ## 4.3.2
>
> - update jquery to 3.3.0
> - Add possibility to test HTML: all, attribute prefix, attribute contains,
> attribute ends with, child, and class selectors
> - Fix matching mutiple calls for the same selector/function exception
>
> ## 4.3.1
>
> - update jquery to 3.2.1
>
> ## 4.3.0
>
> - update jquery to 3.2.0
> - Add possibility to test HTML attribute selectors
>
> ## 4.2.2
>
> - update jquery to 3.1.1
>
> ## 4.2.1
>
> - update jquery to 3.1.0
>
> ## 4.2.0
>
> - Support jQuery 3.x
> - Update jquery-ujs to 1.2.2
> - Update jQuery to 1.12.4 and 2.2.4
>
> ## 4.1.1
>
> - Update jQuery to 1.12.1 and 2.2.1
> - Update jquery-ujs to 1.2.1
>
> ## 4.1.0
>
> - Update jQuery to 1.12.0 and 2.2.0
> - Update jquery-ujs to 1.2.0
>
> ## 4.0.5
>
> - Specify that Ruby version 1.9.3+ is required
> - Test on Ruby 2.2
> - Update jquery-ujs from 1.0.4 to 1.1.0
>
> ... (truncated)
Commits
- [`fa176d4`](https://github.com/rails/jquery-rails/commit/fa176d4d2b0bb730d9f7816591715f03d7fc4af9) Upgrade jQuery to 1.12.4
- [`c211b82`](https://github.com/rails/jquery-rails/commit/c211b829d08bc7f79394bb9f29d4f3305d2bb6cc) Fix jQuery version download task
- [`d42f68d`](https://github.com/rails/jquery-rails/commit/d42f68d0205f96221168f3cc28ba31ab47822c30) Release 3.1.4
- [`ecf65f0`](https://github.com/rails/jquery-rails/commit/ecf65f0954888ca60ad66ed06252cb0ffbf612bd) Fix IE7 bug on isCrossDomain check
- [`d0be832`](https://github.com/rails/jquery-rails/commit/d0be832723c3cdf9d39b9c006d3644b4d13926bb) Merge branch '3-1-2-sec' into 3-1-stable
- [`ee1ed3c`](https://github.com/rails/jquery-rails/commit/ee1ed3c8050a9723f62a618df5862ff3b85cc723) Release 3.1.3
- [`92f2a9d`](https://github.com/rails/jquery-rails/commit/92f2a9d28542aad7faf770adae99f608c5b1e2c9) Upgrade jquery-ujs to do proper checks for cross domain requests
- See full diff in [compare view](https://github.com/rails/jquery-rails/compare/v3.1.2...v3.1.5)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot ignore this [minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use [this|these] label[s]` will set the current labels as the default for future PRs for this repo and language
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Out-of-range updates (receive only lockfile updates, if desired)
Finally, you can contact us by mentioning @dependabot.
Bumps jquery-rails from 3.1.2 to 3.1.5. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2015-1840.yml).* > **CSRF Vulnerability in jquery-rails** > In the scenario where an attacker might be able to control the href attribute > of an anchor tag or the action attribute of a form tag that will trigger a > POST action, the attacker can set the href or action to > " https://attacker.com" (note the leading space) that will be passed to > JQuery, who will see this as a same origin request, and send the user's CSRF > token to the attacker domain. > > To work around this problem, change code that allows users to control the > href attribute of an anchor tag or the action attribute of a form tag to > filter the user parameters. > ... (truncated) > > Patched versions: [">= 4.0.4", "~> 3.1.3"] > Unaffected versions: []Changelog
*Sourced from jquery-rails's [changelog](https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md).* > ## 4.3.3 > > - update jquery to 3.3.1 > > ## 4.3.2 > > - update jquery to 3.3.0 > - Add possibility to test HTML: all, attribute prefix, attribute contains, > attribute ends with, child, and class selectors > - Fix matching mutiple calls for the same selector/function exception > > ## 4.3.1 > > - update jquery to 3.2.1 > > ## 4.3.0 > > - update jquery to 3.2.0 > - Add possibility to test HTML attribute selectors > > ## 4.2.2 > > - update jquery to 3.1.1 > > ## 4.2.1 > > - update jquery to 3.1.0 > > ## 4.2.0 > > - Support jQuery 3.x > - Update jquery-ujs to 1.2.2 > - Update jQuery to 1.12.4 and 2.2.4 > > ## 4.1.1 > > - Update jQuery to 1.12.1 and 2.2.1 > - Update jquery-ujs to 1.2.1 > > ## 4.1.0 > > - Update jQuery to 1.12.0 and 2.2.0 > - Update jquery-ujs to 1.2.0 > > ## 4.0.5 > > - Specify that Ruby version 1.9.3+ is required > - Test on Ruby 2.2 > - Update jquery-ujs from 1.0.4 to 1.1.0 > > ... (truncated)Commits
- [`fa176d4`](https://github.com/rails/jquery-rails/commit/fa176d4d2b0bb730d9f7816591715f03d7fc4af9) Upgrade jQuery to 1.12.4 - [`c211b82`](https://github.com/rails/jquery-rails/commit/c211b829d08bc7f79394bb9f29d4f3305d2bb6cc) Fix jQuery version download task - [`d42f68d`](https://github.com/rails/jquery-rails/commit/d42f68d0205f96221168f3cc28ba31ab47822c30) Release 3.1.4 - [`ecf65f0`](https://github.com/rails/jquery-rails/commit/ecf65f0954888ca60ad66ed06252cb0ffbf612bd) Fix IE7 bug on isCrossDomain check - [`d0be832`](https://github.com/rails/jquery-rails/commit/d0be832723c3cdf9d39b9c006d3644b4d13926bb) Merge branch '3-1-2-sec' into 3-1-stable - [`ee1ed3c`](https://github.com/rails/jquery-rails/commit/ee1ed3c8050a9723f62a618df5862ff3b85cc723) Release 3.1.3 - [`92f2a9d`](https://github.com/rails/jquery-rails/commit/92f2a9d28542aad7faf770adae99f608c5b1e2c9) Upgrade jquery-ujs to do proper checks for cross domain requests - See full diff in [compare view](https://github.com/rails/jquery-rails/compare/v3.1.2...v3.1.5)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot ignore this [minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use [this|these] label[s]` will set the current labels as the default for future PRs for this repo and language Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) Finally, you can contact us by mentioning @dependabot.