material icon indicating copy to clipboard operation
material copied to clipboard

Published 20 hours ago verified publisher icon appreciated

[Security] Bump vaadin.version from 8.7.0 to 8.13.2

Open dependabot-preview[bot] opened this issue 3 years ago • 0 comments

Bumps vaadin.version from 8.7.0 to 8.13.2. Updates vaadin-server from 8.7.0 to 8.13.2 This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Timing side channel vulnerability in UIDL request handler in Vaadin 7 and 8 Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 (Vaadin 7.0.0 through 7.7.23), and 8.0.0 through 8.12.2 (Vaadin 8.0.0 through 8.12.2) allows attacker to guess a security token via timing attack

Affected versions: >= 8.0.0, < 8.12.3

Sourced from The GitHub Security Advisory Database.

Stored cross-site scripting in Grid component in Vaadin 7 and 8 Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector.

Affected versions: >= 8.0.0, < 8.8.5

Release notes

Sourced from vaadin-server's releases.

Vaadin Framework 8.13.2 is a maintenance release with the following fixes :

  • fix: don't serve directories as static files (backport flow fixes vaadin/flow#11047)
  • fix: add JavaDoc warning to avoid using ResponseWriter for directories
  • Ensure removing a row does not cause exceptions in detail row handling (Fixes: #12328)
  • Trigger repositioning after full refresh of current details (Fixes: #12310 )

See 8.13.2 milestone for all changes

Vaadin Framework 8.13.1 is a maintenance release with the following fixes :

  • Update Atmosphere
  • include @​font-face definition in mixin so $v-icons variable has effect (Thanks @​qwasli for the contribution)
  • Update Liferay kernel dependency range to [7.0.0,12.0.0)
  • Ensure large tooltips can be closed on touch devices.
  • Add browser specific handling in setRows

See 8.13.1 milestone for all changes

Vaadin Framework 8.13.0 is a feature release contains a number of new features and bug fixes.

Enhancements in 8.13:

  • #12168 Add API to prevent invalid input when integrated range validator is used in DateField
  • #12060 Add getter for presentationProvider in Grid.Column
  • #12183 DateField value now actively adjusts to the set resolution.
  • #12246 Add API to control whether Binder converts back to presentation

Bug fixes in 8.13:

  • #12186 Optimize Grid performance, by re-using ComputedStyles in Escalator when possible.
  • #12260 Fix Window dragging on touch screen.
  • #12231 Fix: Updating Grid's item set when details rows are open.
  • #12138 Fixed LayoutManager size calculations during transform.

Vaadin Framework 8.13.0.beta1 is a pre-release for evaluating a number of new features and bug fixes. The API in this beta version is not considered final and may change based on user feedback.

Enhancements in 8.13:

  • #12186 Optimize Grid performance, by re-using ComputedStyles in Escalator when possible.
  • #12168 Add API to prevent invalid input when integrated range validator is used in DateField
  • #12060 Add getter for presentationProvider in Grid.Column
  • #12138 Fixed LayoutManager size calculations during transform.
  • #12231 Fix: Updating Grid's item set when details rows are open.
  • #12183 DateField value now actively adjusts to the set resolution.

Vaadin Framework 8.13.0.alpha1 is a pre-release for evaluating a number of new features and bug fixes. The API in this beta version is not considered final and may change based on user feedback.

#Enhancements

  • #12186 Optimize Grid performance, by re-using ComputedStyles in Escalator when possible.
  • #12168 Add API to prevent invalid input when integrated range validator is used in DateField
  • #12060 Add getter for presentationProvider in Grid.Column

... (truncated)

Commits

Updates vaadin-client from 8.7.0 to 8.13.2

Release notes

Sourced from vaadin-client's releases.

Vaadin Framework 8.13.2 is a maintenance release with the following fixes :

  • fix: don't serve directories as static files (backport flow fixes vaadin/flow#11047)
  • fix: add JavaDoc warning to avoid using ResponseWriter for directories
  • Ensure removing a row does not cause exceptions in detail row handling (Fixes: #12328)
  • Trigger repositioning after full refresh of current details (Fixes: #12310 )

See 8.13.2 milestone for all changes

Vaadin Framework 8.13.1 is a maintenance release with the following fixes :

  • Update Atmosphere
  • include @​font-face definition in mixin so $v-icons variable has effect (Thanks @​qwasli for the contribution)
  • Update Liferay kernel dependency range to [7.0.0,12.0.0)
  • Ensure large tooltips can be closed on touch devices.
  • Add browser specific handling in setRows

See 8.13.1 milestone for all changes

Vaadin Framework 8.13.0 is a feature release contains a number of new features and bug fixes.

Enhancements in 8.13:

  • #12168 Add API to prevent invalid input when integrated range validator is used in DateField
  • #12060 Add getter for presentationProvider in Grid.Column
  • #12183 DateField value now actively adjusts to the set resolution.
  • #12246 Add API to control whether Binder converts back to presentation

Bug fixes in 8.13:

  • #12186 Optimize Grid performance, by re-using ComputedStyles in Escalator when possible.
  • #12260 Fix Window dragging on touch screen.
  • #12231 Fix: Updating Grid's item set when details rows are open.
  • #12138 Fixed LayoutManager size calculations during transform.

Vaadin Framework 8.13.0.beta1 is a pre-release for evaluating a number of new features and bug fixes. The API in this beta version is not considered final and may change based on user feedback.

Enhancements in 8.13:

  • #12186 Optimize Grid performance, by re-using ComputedStyles in Escalator when possible.
  • #12168 Add API to prevent invalid input when integrated range validator is used in DateField
  • #12060 Add getter for presentationProvider in Grid.Column
  • #12138 Fixed LayoutManager size calculations during transform.
  • #12231 Fix: Updating Grid's item set when details rows are open.
  • #12183 DateField value now actively adjusts to the set resolution.

Vaadin Framework 8.13.0.alpha1 is a pre-release for evaluating a number of new features and bug fixes. The API in this beta version is not considered final and may change based on user feedback.

#Enhancements

  • #12186 Optimize Grid performance, by re-using ComputedStyles in Escalator when possible.
  • #12168 Add API to prevent invalid input when integrated range validator is used in DateField
  • #12060 Add getter for presentationProvider in Grid.Column

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

dependabot-preview[bot] avatar Jul 08 '21 04:07 dependabot-preview[bot]