opendata icon indicating copy to clipboard operation
opendata copied to clipboard
verified publisher icon vrk-kpa

Bump league/commonmark from 2.6.2 to 2.7.0 in /drupal

Open dependabot[bot] opened this issue 11 months ago • 2 comments

Bumps league/commonmark from 2.6.2 to 2.7.0.

Release notes

Sourced from league/commonmark's releases.

2.7.0

This is a security release to address a potential cross-site scripting (XSS) vulnerability when using the AttributesExtension with untrusted user input.

Added

  • Added attributes/allow config option to specify which attributes users are allowed to set on elements (default allows virtually all attributes)

Changed

  • The AttributesExtension blocks all attributes starting with on unless explicitly allowed via the attributes/allow config option
  • The allow_unsafe_links option is now respected by the AttributesExtension when users specify href and src attributes
Changelog

Sourced from league/commonmark's changelog.

[2.7.0]

This is a security release to address a potential cross-site scripting (XSS) vulnerability when using the AttributesExtension with untrusted user input.

Added

  • Added attributes/allow config option to specify which attributes users are allowed to set on elements (default allows virtually all attributes)

Changed

  • The AttributesExtension blocks all attributes starting with on unless explicitly allowed via the attributes/allow config option
  • The allow_unsafe_links option is now respected by the AttributesExtension when users specify href and src attributes
Commits

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page.

Note Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

dependabot[bot] avatar May 06 '25 02:05 dependabot[bot]

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 26.69%. Comparing base (84041d7) to head (b0a2bd6). Report is 18 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #2677   +/-   ##
=======================================
  Coverage   26.69%   26.69%           
=======================================
  Files          42       42           
  Lines        5901     5901           
  Branches       37       37           
=======================================
  Hits         1575     1575           
  Misses       4326     4326
Flag Coverage Δ
cdk 96.59% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

codecov[bot] avatar May 06 '25 02:05 codecov[bot]

opendata    Run #5489

Run Properties:  status check passed Passed #5489  •  git commit c55b0515ac ℹ️: Merge b0a2bd6af6e3ab07e699599c744e6702b9c170fa into 5bdf8f78c15699f29fa3ae876289...
Project opendata
Branch Review dependabot/composer/drupal/league/commonmark-2.7.0
Run status status check passed Passed #5489
Run duration 03m 55s
Commit git commit c55b0515ac ℹ️: Merge b0a2bd6af6e3ab07e699599c744e6702b9c170fa into 5bdf8f78c15699f29fa3ae876289...
Committer dependabot[bot]
View all properties for this run ↗︎
Test results
Tests that failed  Failures 0
Tests that were flaky  Flaky 0
Tests that did not run due to a developer annotating a test with .skip  Pending 2
Tests that did not run due to a failure in a mocha hook  Skipped 0
Tests that passed  Passing 83
View all changes introduced in this branch ↗︎

cypress[bot] avatar May 06 '25 02:05 cypress[bot]