Skip to content

[Security] Bump swagger-ui from 3.23.5 to 3.24.0#144

Merged
eFrane merged 1 commit into
masterfrom
dependabot/npm_and_yarn/swagger-ui-3.24.0
Jan 8, 2020
Merged

[Security] Bump swagger-ui from 3.23.5 to 3.24.0#144
eFrane merged 1 commit into
masterfrom
dependabot/npm_and_yarn/swagger-ui-3.24.0

Conversation

@dependabot-preview

@dependabot-preview dependabot-preview Bot commented Oct 14, 2019

Copy link
Copy Markdown
Contributor

Bumps swagger-ui from 3.23.5 to 3.24.0.

Release notes

Sourced from swagger-ui's releases.

Swagger UI 3.24.0 Released!

Changelog
  • feature: add PKCE support for OAuth2 Authorization Code flows (#5361)
  • fix: parameterMacro functionality for OAS3 (#5617)
  • fix(validateParam): validate JSON values + support Parameter.content (#5657)
  • fix: overweight dependencies in PKCE implementation (#5658)

Swagger UI 3.23.11 Released!

⚠️ This release contains a security fix that addresses a CSS-based input field value exfiltration vulnerability. If you use Swagger UI to display untrusted OpenAPI documents, you should upgrade to this version ASAP.

Changelog

  • fix: mitigate "sequential @import chaining" vulnerability (via #5616)

Swagger UI 3.23.10 Released!

This release fixes two bugs: one visual issue within static documentation, and another within runtime validation for Array-typed parameters.

Changelog

  • fix: <Select disabled> for type: string + enum schemas (#5601)
  • fix: accept string-represented values in required array runtime validation (#5609)

Swagger UI 3.23.9 Released!

This release changes the default value for the validatorUrl configuration option from https://online.swagger.io/validator to https://validator.swagger.io/validator.

Swagger UI 3.23.8 Released!

This release fixes an issue with Swagger 2.0 required body parameter runtime validation (#5583) that was introduced in v3.23.7.

Swagger UI 3.23.7 Released!

This release includes new support for display and Try-It-Out functionality of OAS 3.0 Parameter.content values.

Changelog

  • feature: support for Parameter.content (#5571)
  • housekeeping(dev-deps): babel-plugin-transform-react-remove-prop-types@0.4.24
  • 43db164a 2019-08-27 | docs: clarify that preauthorizeApiKey works for OAS3 Bearer auth too (#5566)

Swagger UI 3.23.6 Released!

This release fixes a React warning originating in Swagger UI and a CSS class name collision with Bootstrap 4.0.

It also includes several in-range updates to minimum dependency versions.

Changelog

  • fix: React warning related to "true" used as boolean (via #5497)
  • fix: remove .col class that causes collision with Bootstrap (via #5541)
Commits
  • 7e5974c release: v3.24.0
  • 25025cb fix: overweight dependencies in PKCE implementation (#5658)
  • 75a0e5d fix(validateParam): validate JSON parameter values + support `Parameter.conte...
  • 71a17f8 housekeeping: use HTTPS links in README.md (#5651)
  • 7317fff housekeeping: add homepage URL to package.json (#5652)
  • 9253c0b improvement: add \<title> tag to oauth2-redirect.html (#5644)
  • 139592e feat: add PKCE support for OAuth2 Authorization Code flows (#5361)
  • 8cabcff housekeeping: document Docker OAUTH2_REDIRECT_URL option (#5641)
  • fa351aa housekeeping: npm audit concerns (#5640)
  • 93f7a82 housekeeping(deps): dompurify v2 (#5634)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

@dependabot-preview dependabot-preview Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Oct 14, 2019
@dependabot-preview

Copy link
Copy Markdown
Contributor Author

We've just been alerted that this update fixes a security vulnerability:

Sourced from The GitHub Security Advisory Database.

High severity vulnerability that affects swagger-ui
A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.

Affected versions: ["< 3.23.11"]

@dependabot-preview dependabot-preview Bot changed the title Bump swagger-ui from 3.23.5 to 3.24.0 [Security] Bump swagger-ui from 3.23.5 to 3.24.0 Oct 15, 2019
@dependabot-preview dependabot-preview Bot added the security Pull requests that address a security vulnerability label Oct 15, 2019
@dependabot-preview dependabot-preview Bot force-pushed the dependabot/npm_and_yarn/swagger-ui-3.24.0 branch from 9e3f7ab to e083c4d Compare November 22, 2019 13:13
Bumps [swagger-ui](https://github.com/swagger-api/swagger-ui) from 3.23.5 to 3.24.0.
- [Release notes](https://github.com/swagger-api/swagger-ui/releases)
- [Commits](swagger-api/swagger-ui@v3.23.5...v3.24.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
@dependabot-preview dependabot-preview Bot force-pushed the dependabot/npm_and_yarn/swagger-ui-3.24.0 branch from e083c4d to b4da632 Compare December 2, 2019 19:26
@eFrane eFrane merged commit b4da632 into master Jan 8, 2020
@dependabot-preview dependabot-preview Bot deleted the dependabot/npm_and_yarn/swagger-ui-3.24.0 branch January 8, 2020 10:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code security Pull requests that address a security vulnerability

Development

Successfully merging this pull request may close these issues.

1 participant