Bump activesupport from 7.0.4 to 7.0.4.3
Closed
Number: #978
Type: Pull Request
State: Closed
Type: Pull Request
State: Closed
Author:
dependabot[bot]
Association: Contributor
Comments: 1
Association: Contributor
Comments: 1
Created:
March 15, 2023 at 11:59 PM UTC
(over 3 years ago)
(over 3 years ago)
Updated:
May 21, 2025 at 03:19 PM UTC
(about 1 year ago)
(about 1 year ago)
Closed:
May 21, 2025 at 03:19 PM UTC
(about 1 year ago)
(about 1 year ago)
Time to Close:
about 2 years
Labels:
dependencies ruby
dependencies ruby
Description:
Bumps activesupport from 7.0.4 to 7.0.4.3.
Release notes
Sourced from activesupport's releases.
v7.0.4.3
Active Support
Implement SafeBuffer#bytesplice
[CVE-2023-28120]
Active Model
- No changes.
Active Record
- No changes.
Action View
Ignore certain data-* attributes in rails-ujs when element is contenteditable
[CVE-2023-23913]
Action Pack
- No changes.
Active Job
- No changes.
Action Mailer
- No changes.
Action Cable
... (truncated)
Changelog
Sourced from activesupport's changelog.
Rails 7.0.4.3 (March 13, 2023)
Implement SafeBuffer#bytesplice
[CVE-2023-28120]
Rails 7.0.4.2 (January 24, 2023)
- No changes.
Rails 7.0.4.1 (January 17, 2023)
Avoid regex backtracking in Inflector.underscore
[CVE-2023-22796]
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.
Pull Request Statistics
Commits:
0
0
Files Changed:
0
0
Additions:
+0
+0
Deletions:
-0
-0
Package Dependencies
Security Advisories
ReDoS based DoS vulnerability in Active Support's underscore
GHSA-j6gc-792m-qgm2
CVE-2023-22796
LOW
There is a possible regular expression based DoS vulnerability in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-22796.
Versions Affected: All Not affected: None ...
rails-ujs vulnerable to DOM Based Cross-site Scripting contenteditable HTML Elements
GHSA-xp5h-f8jf-rc8q
CVE-2023-23913
MODERATE
NOTE: rails-ujs is part of Rails/actionview since 5.1.0.
There is a potential DOM based cross-site scripting issue in rails-ujs
which leverages the Clipboard API to target HTML elements that are
a...
Possible XSS Security Vulnerability in SafeBuffer#bytesplice
GHSA-pj73-v5mw-pm9j
CVE-2023-28120
MODERATE
There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.
This vulnerability has been assigned the CVE identifier CVE-2023-28120.
...
Technical Details
| ID: | 561759 |
| UUID: | 1626447468 |
| Node ID: | PR_kwDOAOoZ-c5MJ8Vm |
| Host: | GitHub |
| Repository: | github/training-kit |