chore(deps): update dependency view_component to v2.83.0 [security] #23
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
⚠ Artifact update problemRenovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is. ♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
The artifact failure details are included below: File name: Gemfile.lock |
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-view_component-vulnerability
branch
from
ebb4df8
to
bcbd005
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-view_component-vulnerability
branch
from
bcbd005
to
71dbf8c
Compare
renovate
bot
changed the title
renovate
bot
deleted the
renovate/rubygems-view_component-vulnerability
branch
renovate
bot
restored the
renovate/rubygems-view_component-vulnerability
branch
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rubygems-view_component-vulnerability
branch
from
71dbf8c
to
4ee6cec
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.53.0->2.83.0GitHub Vulnerability Alerts
CVE-2024-21636
Impact
What kind of vulnerability is it? Who is impacted?
This is an XSS vulnerability that has the potential to impact anyone rendering a component directly from a controller with the view_component gem. Note that only components that define a
#callmethod (i.e. instead of using a sidecar template) are affected. The return value of the#callmethod is not sanitized and can include user-defined content.In addition, the return value of the
#output_postamblemethod is not sanitized, which can also lead to XSS issues.Patches
Has the problem been patched? What versions should users upgrade to?
Versions 3.9.0 has been released and fully mitigates both the
#calland the#output_postamblevulnerabilities.Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Sanitize the return value of
#call, eg:References
Are there any links users can visit to find out more?
https://github.com/ViewComponent/view_component/pull/1950
For more information
If you have any questions or comments about this advisory:
Open an issue in the github/view_component project.
Release Notes
viewcomponent/view_component (view_component)
v2.83.0Compare Source
Ensure HTML output safety.
Cameron Dutro
v2.82.0Compare Source
Revert "Avoid loading ActionView::Base during initialization (#1528)"
Jon Rohan
Fix tests using
with_rendered_component_pathwith custom layouts.Ian Hollander
v2.81.0Compare Source
Adjust the way response objects are set on the preview controller to work around a recent change in Rails main.
Cameron Dutro
Fix typo in "Generate a Stimulus controller" documentation.
Ben Trewern
Modify the
render_in_view_contexttest helper to forward its args to the block.Cameron Dutro
v2.80.0Compare Source
Move system test endpoint out of the unrelated previews controller.
Edwin Mak
Display Ruby 2.7 deprecation notice only once, when starting the application.
Henrik Hauge Bjørnskov
Require Rails 5.2+ in gemspec and update documentation.
Drew Bragg
Add documentation for using
with_rendered_component_pathwith RSpec.Edwin Mak
v2.79.0Compare Source
Add ability to pass explicit
preview_pathto preview generator.Erinna Chen
Add
with_rendered_component_pathhelper for writing component system tests.Edwin Mak
Include gem name and deprecation horizon in every deprecation message.
Jan Klimo
v2.78.0Compare Source
Support variants with dots in their names.
Javi Martín
v2.77.0Compare Source
Support variants with dashes in their names.
Javi Martín
v2.76.0Compare Source
Component.with_collectionsupports components that accept splatted keyword arguments.Zee Spencer
Remove
config.view_component.use_consistent_rendering_lifecyclesince it is no longer planned for 3.0.Blake Williams
Prevent polymorphic slots from calculating
contentwhen setting a slot.Blake Williams
Add ability to pass in the preview class to
render_preview.Jon Rohan
Fix issue causing PVC tests to fail in CI.
Cameron Dutro
Fix YARD docs build task.
Hans Lemuet
Add Startup Jobs to list of companies using ViewComponent.
Marc Köhlbrugge
Run PVC's accessibility tests in a single process to avoid resource contention in CI.
Cameron Dutro
v2.75.0Compare Source
Avoid loading ActionView::Base during Rails initialization.
Jonathan del Strother
Mention lambda slots rendering returned values lazily in the guide.
Graham Rogers
Add "ViewComponent In The Wild" articles to resources.
Alexander Baygeldin
v2.74.1Compare Source
Add more users of ViewComponent to docs.
Joel Hawksley
Add a known issue for usage with
turbo_frame_tagto the documentation.Vlad Radulescu
Add note about system testing components with previews.
Joel Hawksley
Remove locking mechanisms from the compiler.
Cameron Dutro
v2.74.0Compare Source
Add Avo to list of companies using ViewComponent.
Adrian Marin
Promote experimental
_output_postamblemethod to public API asoutput_postamble.Joel Hawksley
Promote experimental
_sidecar_filesmethod to public API assidecar_files.Joel Hawksley
Fix
show_previewsregression introduced in 2.73.0.Andy Baranov
with_request_urltest helper supports router constraints (such as Devise).Aotokitsuruya
v2.73.0Compare Source
Remove experimental
_after_compilelifecycle method.Joel Hawksley
Fix capitalization of JavaScript in docs.
Erinna Chen
Add PrintReleaf to list of companies using ViewComponent.
Ry Kulp
Simplify CI configuration to a single build per Ruby/Rails version.
Joel Hawksley
Correctly document
generate.sidecarconfig option.Ruben Smit
Add Yobbers to list of companies using ViewComponent.
Anton Prins
v2.72.0Compare Source
Deprecate support for Ruby < 2.7 for removal in v3.0.0.
Joel Hawksley
Add
changelog_urito gemspec.Joel Hawksley
Link to
CHANGELOG.mdinstead of symlink.Joel Hawksley
Add Aluuno to list of companies using ViewComponent.
Daniel Naves de Carvalho
Add
source_code_urito gemspec.Yoshiyuki Hirano
Update link to benchmark script in docs.
Daniel Diekmeier
Add special exception message for
renders_one :contentexplaining that content passed as a block will be assigned to thecontentaccessor without having to create an explicit slot.Daniel Diekmeier
v2.71.0Compare Source
ViewComponent has moved to a new organization: https://github.com/viewcomponent/view_component. See #1424 for more details.
v2.70.0Compare Source
render_previewcan pass parameters to preview.Joel Hawksley
Fix docs typos.
Joel Hawksley
Add architectural decisions to documentation and rename sidebar sections.
Joel Hawksley
Clarify documentation on testability of Rails views.
Joel Hawksley
Add Arrows to list of companies using ViewComponent.
Matt Swanson
Add WIP to list of companies using ViewComponent.
Marc Köhlbrugge
Update slots documentation to include how to reference slots.
Brittany Ellich
Add Clio to list of companies using ViewComponent.
Mike Buckley
v2.69.0Compare Source
Add missing
requireto fixpvcbuild.Joel Hawksley
Add
config.view_component.use_consistent_rendering_lifecycleto ensure side-effects incontentare consistently evaluated before components are rendered. This change effectively means thatcontentis evaluated for every component render whererender?returns true. As a result, code that's passed to a component via a block/content will now always be evaluated, before#call, which can reveal bugs in existing components. This configuration option defaults tofalsebut will be enabled in 3.0 and the old behavior will be removed.Blake Williams
Update Prism to version 1.28.0.
Thomas Hutterer
Corrects the deprecation warning for named slots to show the file and line where the slot is called.
River Bailey
v2.68.0Compare Source
Update
gemspecauthor to be ViewComponent team.Joel Hawksley
Fix bug where
ViewComponent::Compilerwasn't required.Joel Hawksley
v2.67.0Compare Source
Use ViewComponent::Base.config as the internal endpoint for config.
Simon Fish
Fix bug where
#with_request_url, when used with query string, set the incorrectrequest.pathandrequest.fullpath.Franz Liedke
Add link to ViewComponentAttributes in Resources section of docs.
Romaric Pascal
render_previewtest helper is available by default. It is no longer necessary to includeViewComponent::RenderPreviewHelper.Joel Hawksley
v2.66.0Compare Source
Add missing
generate.sidecar,generate.stimulus_controller,generate.locale,generate.distinct_locale_files,generate.previewconfig options toconfig.view_component.Simon Fish
v2.65.0Compare Source
Raise
ArgumentErrorwhen conflicting Slots are defined.Before this change it was possible to define Slots with conflicting names, for example:
Joel Hawksley
v2.64.0Compare Source
Add
warn_on_deprecated_slot_setterflag to opt-in to deprecation warning.In v2.54.0, the Slots API was updated to require the
with_*prefix for setting Slots. The non-with_*setters will be deprecated in a coming version and removed inv3.0.To enable the coming deprecation warning, add
warn_on_deprecated_slot_setter:Joel Hawksley
Add
mto development environment.Joel Hawksley
Fix potential deadlock scenario in the compiler's development mode.
Blake Williams
v2.63.0Compare Source
Fixed typo in
renders_manydocumentation.Graham Rogers
Add documentation about working with
turbo-rails.Matheus Poli Camilo
Fix issue causing helper methods to not be available in nested components when the render monkey patch is disabled and
render_componentis used.Daniel Scheffknecht
v2.62.0Compare Source
Remove the experimental global output buffer feature.
Restore functionality that used to attempt to compile templates on each call to
#render_in.Un-pin
railsmaindependency.Cameron Dutro
Add blank space between "in" and "ViewComponent" in a deprecation warning.
Vikram Dighe
Add HappyCo to list of companies using ViewComponent.
Josh Clayton
v2.61.1Compare Source
Revert
Expose Capybara DSL methods directly inside tests.This change unintentionally broke other Capybara methods and thus introduced a regression. We aren't confident that we can fail forward so we have decided to revert this change.Joel Hawksley, Blake Williams
Revert change making content evaluation consistent.
Blake Williams
Pin
railsmaindependency due to incompatibility with Global Output Buffer.Joel Hawksley
v2.61.0Compare Source
Ensure side-effects in
contentare consistently evaluated before components are rendered. This change effectively means thatcontentis evaluated for every component render whererender?returns true. As a result, code that is passed to a component via a block/content will now always be evaluated, before#call, which can reveal bugs in existing components.Blake Williams
v2.60.0Compare Source
Add support for
render_previewin RSpec tests.Thomas Hutterer
v2.59.0Compare Source
Expose Capybara DSL methods directly inside tests.
The following Capybara methods are now available directly without having to use the
pagemethod:allfirsttextfindfind_allfind_buttonfind_by_idfind_fieldfind_linkhas_content?has_text?has_css?has_no_content?has_no_text?has_no_css?has_no_xpath?has_xpath?has_link?has_no_link?has_button?has_no_button?has_field?has_no_field?has_checked_field?has_unchecked_field?has_no_table?has_table?has_select?has_no_select?has_selector?has_no_selector?has_no_checked_field?has_no_unchecked_field?Add support for
within*Capybara DLS methods:withinwithin_elementwithin_fieldsetwithin_tableJacob Carlborg
v2.58.0Compare Source
Welcome to the team, Hans and Simon! ❤️
Add @boardfish and @spone as maintainers.
Joel Hawksley, Cameron Dutro, Blake Williams
Switch to
standardrb.Joel Hawksley
Add BootrAils article to resources.
Joel Hawksley
Re-compile updated, inherited templates when class caching is disabled.
Patrick Arnett
Add the latest version to the docs index.
Improve the docs: add the versions various features were introduced in.
Hans Lemuet
Update docs to reflect lack of block content support in controllers.
Joel Hawksley
Prevent adding duplicates to
autoload_paths.Thomas Hutterer
Add FreeAgent to list of companies using ViewComponent.
Simon Fish
Include polymorphic slots in
ViewComponent::Baseby default.Cameron Dutro
Add per-component config option for stripping newlines from templates before compilation.
Cameron Dutro
Add link to article by Matouš Borák.
Joel Hawksley
v2.57.1Compare Source
Fix issue causing
NoMethodErrors when calling helper methods from components rendered as part of a collection.Fix syntax error in the ERB example in the polymorphic slots docs.
Cameron Dutro
v2.57.0Compare Source
Add missing
requireforTranslatablemodule inBase.Hans Lemuet
Allow anything that responds to
#render_into be rendered in the parent component's view context.Cameron Dutro
Fix script/release so it honors semver.
Cameron Dutro
v2.56.2Compare Source
Restore removed
rendered_component, marking it for deprecation in v3.0.0.Tyson Gach, Richard Macklin, Joel Hawksley
v2.56.1Compare Source
Rename private accessor
rendered_componenttorendered_content.Yoshiyuki Hirano, Simon Dawson
v2.56.0Compare Source
Introduce experimental
render_previewtest helper. Note:@rendered_componentinTestHelpershas been renamed to@rendered_content.Joel Hawksley
Move framework tests into sandbox application.
Joel Hawksley
Add G2 to list of companies that use ViewComponent.
Jack Shuff
Add Within3 to list of companies that use ViewComponent.
Drew Bragg
Add Mission Met to list of companies that use ViewComponent.
Nick Smith
Fix
#with_request_urltest helper not parsing nested query parameters into nested hashes.Richard Marbach
v2.55.0Compare Source
Add
render_parentconvenience method to avoid confusion between<%= super %>and<% super %>in template code.Cameron Dutro
Add note about discouraging inheritance.
Joel Hawksley
Clean up grammar in documentation.
Joel Hawksley
The ViewComponent team at GitHub is hiring! We're looking for a Rails engineer with accessibility experience: https://boards.greenhouse.io/github/jobs/4020166. Reach out to joelhawksley@github.com with any questions!
The ViewComponent team is hosting a happy hour at RailsConf. Join us for snacks, drinks, and stickers: https://www.eventbrite.com/e/viewcomponent-happy-hour-tickets-304168585427
v2.54.1Compare Source
Update docs dependencies.
Joel Hawksley
Resolve warning in slots API.
Raise in the test environment when ViewComponent code emits a warning.
Blake Williams
v2.54.0Compare Source
Add
with_*slot API for defining slots. Note: we plan to deprecate the nonwith_*API for slots in an upcoming release.Blake Williams
Add QuickNode to list of companies that heavily rely on ViewComponent.
Luc Castera
Include the
Translatablemodule by default.Elia Schito
Update docs dependencies.
Joel Hawksley
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.