[Security] Bump laravel/framework from 8.36.1 to 8.44.0

[dependabot-preview[bot]]

Bumps laravel/framework from 8.36.1 to 8.44.0. This update includes security fixes.

Vulnerabilities fixed

Sourced from The PHP Security Advisories Database.

SQL Server LIMIT / OFFSET SQL Injection

Affected versions: >=6.0.0, =8.0.0, <8.40.0

Sourced from The GitHub Security Advisory Database.

SQL Server LIMIT / OFFSET SQL Injection in laravel/framework and illuminate/database

Impact

Those using SQL Server with Laravel and allowing user input to be passed directly to the limit and offset functions are vulnerable to SQL injection. Other database drivers such as MySQL and Postgres are not affected by this vulnerability.

Patches

This problem has been patched on Laravel versions 6.20.26 and 8.40.0.

Workarounds

You may workaround this vulnerability by ensuring that only integers are passed to the limit and offset functions, as well as the skip and take functions.

Affected versions: >= 8.0.0, < 8.40.0

Release notes

Sourced from laravel/framework's releases.

v8.44.0

Added

• Delegate lazy loading violation to method (#37480)
• Added force option to Illuminate/Foundation/Console/StorageLinkCommand (#37501, 3e547d2)

Fixed

• Fixed aggregates with having (#37487, c986e12)
• Bugfix passing errorlevel when command is run in background (#37479)

Changed

• Init the traits when the model is being unserialized (#37492)
• Relax the lazy loading restrictions (#37503)

v8.43.0

Added

• Added Illuminate\Auth\Authenticatable::getAuthIdentifierForBroadcasting() (#37408)
• Added eloquent strict loading mode (#37363)
• Added default timeout to NotPwnedVerifier validator (#37440, 45567e0)
• Added beforeQuery to base query builder (#37431)
• Added Illuminate\Queue\Jobs\Job::shouldFailOnTimeout() (#37450)
• Added ValidatorAwareRule interface (#37442)
• Added model support for database assertions (#37459)

Fixed

• Fixed eager loading one-of-many relationships with multiple aggregates (#37436)

Changed

• Improve signed url signature verification (#37432)
• Improve one-of-many performance (#37451)
• Update Illuminate/Pagination/Cursor::parameter() (#37458)
• Reconnect the correct connection when using ::read or ::write (#37471, d1a32f9)

v8.42.1

Added

• Add default "_of_many" to join alias when relation name is table name (#37411)

Changed

• Allow dababase password to be null in MySqlSchemaState (#37418)
• Accept any instance of Rule and not just Password in password rule (#37407)

Fixed

• Fixed aggregates (e.g.: withExists) for one of many relationships (#37413, 498e1a0)

v8.42.0

Added

• Support views in SQLServerGrammar (#37348)
• Added new assertDispatchedSync methods to BusFake (#37350, 414f382)
• Added withExists method to QueriesRelationships (#37302)

... (truncated)

Changelog

Sourced from laravel/framework's changelog.

v8.44.0 (2021-05-27)

Added

• Delegate lazy loading violation to method (#37480)
• Added force option to Illuminate/Foundation/Console/StorageLinkCommand (#37501, 3e547d2)

Fixed

• Fixed aggregates with having (#37487, c986e12)
• Bugfix passing errorlevel when command is run in background (#37479)

Changed

• Init the traits when the model is being unserialized (#37492)
• Relax the lazy loading restrictions (#37503)

v8.43.0 (2021-05-25)

Added

• Added Illuminate\Auth\Authenticatable::getAuthIdentifierForBroadcasting() (#37408)
• Added eloquent strict loading mode (#37363)
• Added default timeout to NotPwnedVerifier validator (#37440, 45567e0)
• Added beforeQuery to base query builder (#37431)
• Added Illuminate\Queue\Jobs\Job::shouldFailOnTimeout() (#37450)
• Added ValidatorAwareRule interface (#37442)
• Added model support for database assertions (#37459)

Fixed

• Fixed eager loading one-of-many relationships with multiple aggregates (#37436)

Changed

• Improve signed url signature verification (#37432)
• Improve one-of-many performance (#37451)
• Update Illuminate/Pagination/Cursor::parameter() (#37458)
• Reconnect the correct connection when using ::read or ::write (#37471, d1a32f9)

v8.42.1 (2021-05-19)

Added

• Add default "_of_many" to join alias when relation name is table name (#37411)

Changed

• Allow dababase password to be null in MySqlSchemaState (#37418)
• Accept any instance of Rule and not just Password in password rule (#37407)

Fixed

• Fixed aggregates (e.g.: withExists) for one of many relationships (#37413, 498e1a0)

v8.42.0 (2021-05-18)

... (truncated)

Commits

• 7b3b27d version
• f26816d relax the lazy loading restrictions (#37503)
• e0402fc Merge branch 'force-storage-link' into 8.x
• 3e547d2 formatting
• 41c47ef [8.x] Init the traits when the model is being unserialized (#37492)
• e4b509e Extract removable symlink check to method
• f3493fc Mark MaintenanceModeException as deprecated (#37497)
• 968a364 Update signature formatting
• 795710d Force symlink recreation
• 3062083 Fix types of Console\Command properties (#37495)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot will not automatically merge this PR because it includes a minor update to a production dependency.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)