Skip to content

v7.21

Choose a tag to compare

View all tags
@cpl-automation cpl-automation released this 02 Mar 16:31
· 403 commits to main since this release
v1112+srv567.web389
50cbc39
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Release Notes

This update provides important bug fixes and improvements.

Canvas Connect

New Features

  • New host validation workflow before allowing saving and redirecting to platform provided endpoints. Allowed hosts are saved at the config.toml level. Use pingpong lti suggest-config-from-db to get suggestions on your configuration based on existing LTI Registration entries.

Updates & Improvements

  • pingpong lti suggest-config-from-db LTI platform configuration suggestions incorporate class membership data as an additional source for building URL allowlists.
  • Use --suppress-registration-prints with pingpong lti suggest-config-from-db to hide the per-registration source lines at the end of text output. The default --show-registration-prints maintains current behavior.

UI

Updates & Improvements

  • Better handling of polling for a thread to complete streaming in another window.

Internal

Updates & Improvements

  • Dependency updates.
  • Update minimatch dependency to >=10.2.3 to resolve minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments and minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions.
  • Remove unnecessary pnpm dependency version overrides.
  • Remove create release and release-v2 workflows that are no longer used.
  • Update deprecated version getsentry/action-release action identifier to release.
  • [Code Quality] Lock pnpm/action-setup version in workflows.
  • [Code Quality] Lock anthropics/claude-code-action version in workflows.
  • [Code Quality] Lock getsentry/action-release version in workflows.
  • [Code Quality] Remove a console error logging call that triggers a false positive CodeQL "Clear-text logging of sensitive information" check.
  • [Code Quality] Update logging in LTI key store to resolve "Clear-text logging of sensitive information" CodeQL false positive
  • [Code Quality] Update URL validation functions in LTI module to resolve CodeQL "URL redirection from remote source" false positive.
  • [Code Quality] Update alembic script and existing migration files to resolve CodeQL's py/unused-global-variable notes.
  • [Code Quality] Update Python code to resolve CodeQL's py/empty-except.
  • [Code Quality] Update Python code to resolve CodeQL's py/ineffectual-statement.
  • [Code Quality] Update Python code to resolve CodeQL's py/unnecessary-pass.
  • [Code Quality] Update Python code to resolve CodeQL's py/multiple-definition.
  • [Code Quality] Update Python code to resolve CodeQL's py/mixed-returns.
  • [Code Quality] Update Python code to resolve CodeQL's py/catch-base-exception.
  • [Code Quality] Update Python code to resolve CodeQL's py/unreachable-statement.
  • [Code Quality] Update Python code to resolve CodeQL's py/not-named-cls.
  • [Code Quality] Update Python code to resolve CodeQL's py/unused-local-variable.
  • [Code Quality] Update TypeScript code to resolve CodeQL's js/superfluous-trailing-arguments.
  • [Code Quality] Update TypeScript code to resolve CodeQL's js/useless-assignment-to-local.
  • [Code Quality] Update TypeScript code to resolve CodeQL's js/unreachable-statement.
  • [Code Quality] Update TypeScript code to resolve CodeQL's js/trivial-conditional.
  • [Code Quality] Update TypeScript code to resolve CodeQL's js/call-to-non-callable.
  • Bump MIT license year.

Resolved Issues

  • [Code Quality] Fixed log injection issues by sanitizing log entries that depend on a user-provided value.
  • [Code Quality] Fixed: GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as pull_request_target or issue_comment followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed (e.g., due to a modified build script) in a privileged job.

Deployment Information

Schema Upgrade Migration Script Permissions Update Task Definition Update Configuration Update
No No No No YES

Deployment Details

  • Configuration Update: Set lti.platform_url_allowlist and lti.openid_configuration_paths.

Related PRs

  • deps(web-dev): bump rollup from 4.58.0 to 4.59.0 in /web/pingpong by @dependabot[bot] in #1453
  • deps(web-dev): bump svelte from 5.53.2 to 5.53.5 in /web/pingpong by @dependabot[bot] in #1452
  • chore: bump minimatch to >=10.2.3 by @ekassos in #1454
  • fix(security): Log Injection by @ekassos in #1455
  • security: Checkout of untrusted code in trusted context by @ekassos in #1456
  • chore: remove unused workflows by @ekassos in #1457
  • security: lock pnpm/action-setup version by @ekassos in #1458
  • security: lock anthropics/claude-code-action version by @ekassos in #1459
  • security: lock getsentry/action-release version by @ekassos in #1460
  • chore: update deprecated 'version' sentry action identifier to 'release' by @ekassos in #1461
  • feat: validate allowed canvas connect hosts by @ekassos in #1462
  • chore: clean up error logging that triggers CodeQL false positive by @ekassos in #1463
  • chore: update key store logging to resolve CodeQL false positive by @ekassos in #1465
  • feat(lti): update url validation that triggers CodeQL false positive by @ekassos in #1464
  • feat(lti): update url validation that triggers CodeQL false positive by @ekassos in #1466
  • chore/ resolve CodeQL's py/unused-global-variable in alembic files by @ekassos in #1467
  • chore/ resolve CodeQL's py/empty-except by @ekassos in #1468
  • chore/ resolve CodeQL's py/ineffectual-statement by @ekassos in #1469
  • chore/ resolve CodeQL's py/unnecessary-pass by @ekassos in #1470
  • chore/ resolve CodeQL's py/multiple-definition by @ekassos in #1471
  • chore/ resolve CodeQL's py/mixed-returns by @ekassos in #1472
  • chore/ resolve CodeQL's py/catch-base-exception by @ekassos in #1473
  • chore/ resolve CodeQL's py/unreachable-statement by @ekassos in #1474
  • chore/ resolve CodeQL's py/not-named-cls by @ekassos in #1475
  • chore/ resolve CodeQL's py/unused-local-variable by @ekassos in #1476
  • chore/ resolve CodeQL's js/superfluous-trailing-arguments by @ekassos in #1477
  • chore/ resolve CodeQL's js/useless-assignment-to-local by @ekassos in #1478
  • chore/ resolve CodeQL's js/unreachable-statement by @ekassos in #1479
  • chore/ resolve CodeQL's js/trivial-conditional by @ekassos in #1480
  • chore/ resolve CodeQL's js/call-to-non-callable by @ekassos in #1481
  • deps(web): bump the production-dependencies group in /web/pingpong with 3 updates by @dependabot[bot] in #1482
  • deps(gha): bump the github-actions group with 4 updates by @dependabot[bot] in #1483
  • deps(web-dev): bump the development-dependencies group in /web/pingpong with 11 updates by @dependabot[bot] in #1484
  • chore: bump MIT license year by @ekassos in #1485
  • feat(lti): add LTIClass membership URL to suggest configuration by @ekassos in #1486

Full Changelog: v1085+srv551.web379...v1112+srv567.web389

Contributors

dependabot and ekassos
Assets 2
Loading