-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update dependency jquery-ui-rails to v7 [SECURITY] #2655
Open
renovate
wants to merge
1
commit into
master
Choose a base branch
from
renovate/rubygems-jquery-ui-rails-vulnerability
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate
bot
force-pushed
the
renovate/rubygems-jquery-ui-rails-vulnerability
branch
from
April 12, 2024 16:45
698ebb8
to
15faf5c
Compare
renovate
bot
force-pushed
the
renovate/rubygems-jquery-ui-rails-vulnerability
branch
3 times, most recently
from
May 17, 2024 01:47
1b19803
to
083c8a3
Compare
renovate
bot
force-pushed
the
renovate/rubygems-jquery-ui-rails-vulnerability
branch
from
June 12, 2024 04:47
083c8a3
to
2bb963c
Compare
renovate
bot
force-pushed
the
renovate/rubygems-jquery-ui-rails-vulnerability
branch
from
June 22, 2024 03:49
2bb963c
to
1eb58d0
Compare
renovate
bot
force-pushed
the
renovate/rubygems-jquery-ui-rails-vulnerability
branch
3 times, most recently
from
July 22, 2024 04:29
0e50234
to
2c852d9
Compare
renovate
bot
force-pushed
the
renovate/rubygems-jquery-ui-rails-vulnerability
branch
3 times, most recently
from
August 2, 2024 09:18
80eebd9
to
438a0ba
Compare
renovate
bot
force-pushed
the
renovate/rubygems-jquery-ui-rails-vulnerability
branch
from
August 11, 2024 04:14
438a0ba
to
7340604
Compare
renovate
bot
force-pushed
the
renovate/rubygems-jquery-ui-rails-vulnerability
branch
from
August 22, 2024 08:25
7340604
to
e2e3da3
Compare
renovate
bot
force-pushed
the
renovate/rubygems-jquery-ui-rails-vulnerability
branch
7 times, most recently
from
September 4, 2024 17:11
38e6a01
to
fc8cfaf
Compare
renovate
bot
force-pushed
the
renovate/rubygems-jquery-ui-rails-vulnerability
branch
2 times, most recently
from
September 7, 2024 06:55
fd24f99
to
b49b9a0
Compare
renovate
bot
force-pushed
the
renovate/rubygems-jquery-ui-rails-vulnerability
branch
from
September 30, 2024 12:29
b49b9a0
to
c1a8488
Compare
renovate
bot
force-pushed
the
renovate/rubygems-jquery-ui-rails-vulnerability
branch
4 times, most recently
from
October 21, 2024 13:29
afc66fa
to
c72d955
Compare
renovate
bot
force-pushed
the
renovate/rubygems-jquery-ui-rails-vulnerability
branch
from
October 25, 2024 04:28
c72d955
to
1d64ec2
Compare
renovate
bot
force-pushed
the
renovate/rubygems-jquery-ui-rails-vulnerability
branch
2 times, most recently
from
November 2, 2024 04:34
6d2fde5
to
bff27d6
Compare
renovate
bot
force-pushed
the
renovate/rubygems-jquery-ui-rails-vulnerability
branch
2 times, most recently
from
November 8, 2024 10:55
d1fe0f5
to
340bfb6
Compare
renovate
bot
changed the title
Update dependency jquery-ui-rails to v7 [SECURITY]
chore(deps): update dependency jquery-ui-rails to v7 [security]
Nov 8, 2024
renovate
bot
force-pushed
the
renovate/rubygems-jquery-ui-rails-vulnerability
branch
5 times, most recently
from
November 14, 2024 08:27
4d25d65
to
fa79102
Compare
renovate
bot
force-pushed
the
renovate/rubygems-jquery-ui-rails-vulnerability
branch
from
November 19, 2024 08:35
fa79102
to
8c2fd99
Compare
|
renovate
bot
force-pushed
the
renovate/rubygems-jquery-ui-rails-vulnerability
branch
from
November 19, 2024 08:51
8c2fd99
to
5ffdc54
Compare
renovate
bot
force-pushed
the
renovate/rubygems-jquery-ui-rails-vulnerability
branch
from
November 26, 2024 11:32
5ffdc54
to
b629724
Compare
renovate
bot
changed the title
chore(deps): update dependency jquery-ui-rails to v7 [security]
Update dependency jquery-ui-rails to v7 [SECURITY]
Nov 26, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
'6.0.1'
->'7.0.0'
GitHub Vulnerability Alerts
CVE-2021-41182
Impact
Accepting the value of the
altField
option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:will call the
doEvilThing
function.Patches
The issue is fixed in jQuery UI 1.13.0. Any string value passed to the
altField
option is now treated as a CSS selector.Workarounds
A workaround is to not accept the value of the
altField
option from untrusted sources.For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.
CVE-2021-41183
Impact
Accepting the value of various
*Text
options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:will call
doEvilThing
with 6 different parameters coming from all*Text
options.Patches
The issue is fixed in jQuery UI 1.13.0. The values passed to various
*Text
options are now always treated as pure text, not HTML.Workarounds
A workaround is to not accept the value of the
*Text
options from untrusted sources.For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.
CVE-2021-41184
Impact
Accepting the value of the
of
option of the.position()
util from untrusted sources may execute untrusted code. For example, invoking the following code:will call the
doEvilThing()
function.Patches
The issue is fixed in jQuery UI 1.13.0. Any string value passed to the
of
option is now treated as a CSS selector.Workarounds
A workaround is to not accept the value of the
of
option from untrusted sources.For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.
Release Notes
joliss/jquery-ui-rails (jquery-ui-rails)
v7.0.0
Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.