🚨 [security] [ruby] Update action_text-trix 2.1.15 → 2.1.16 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ action_text-trix (indirect, 2.1.15 → 2.1.16) · Repo · Changelog

Security Advisories 🚨

🚨 Trix has a stored XSS vulnerability through its attachment attribute

Impact

The Trix editor, in versions prior to 2.1.16, is vulnerable to XSS attacks through attachment payloads.

An attacker could inject malicious code into a data-trix-attachment attribute that, when rendered as HTML and clicked on, could execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.

Patches

Update Recommendation: Users should upgrade to Trix editor version 2.1.16 or later.

Resources

The XSS vulnerability was reported by HackerOne researcher michaelcheers.

Release Notes

2.1.16

Security

• Attachment href attributes are now validated using DOMPurify.isValidAttribute() before rendering as anchor tags. @flavorjones

Added

• New .editorElements and .editorElement properties have been added to <trix-toolbar> elements for accessing associated <trix-editor> elements. @seanpdoyle #1127
• <trix-editor> elements can now function without an associated <input type="hidden"> element when using ElementInternals. This is configured by setting willCreateInput = false in the before-trix-initialize event and using the [name] attribute for form submissions. @seanpdoyle #1128
• Alt text can now be set on attachment preview images via attachment.setAttributes({ alt: "..." }) in trix-attachment-add event handlers. @seanpdoyle #1198
• Attachment preview URLs can be customized using the new setPreviewURL() and getPreviewURL() methods on ManagedAttachment, accessible from event handlers. @seanpdoyle #1210
• A new trix-before-render event is dispatched before rendering, with a customizable render property for advanced use cases like morph-style rendering integration. @seanpdoyle #1252
• When no associated <input> element is present, HTML content within <trix-editor> tags is now safely sanitized and loaded as the initial editor value. @seanpdoyle #1253

New Contributors

• @flavorjones made their first contribution in #1234
• @MatheusRich made their first contribution in #1162

Full Changelog: v2.1.15...v2.1.16

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 51 commits:

• v2.1.16
• Fix XSS vulnerability in attachment href rendering
• Make "yarn version" commit changes to the ruby gem, too
• Merge pull request #1271 from basecamp/flavorjones/ci-sauce-labs
• ci: stabilize Sauce Labs with SC5 tunnel
• Merge pull request #1270 from basecamp/flavorjones/fix-minitest-errors
• action_text-trix: pin minitest to < 6
• yarn build
• Merge pull request #1269 from basecamp/flavorjones/revert-mousedown-click-change
• Revert "Toolbar Button: Handle `click` instead of `mousedown`"
• Merge pull request #1265 from basecamp/rails-8-1-ci-matrix
• Add `8-1-stable` branch to CI matrix
• Merge pull request #1263 from seanpdoyle/fix-action_text-trix-assets
• Fix stale `app/assets/javascripts/trix.js` file
• Merge pull request #1262 from basecamp/flavorjones/fix-ci
• ci: Make sure continue-on-error is always valid
• ci: Try to fix the apt-install errors
• Merge pull request #1258 from seanpdoyle/rails-engine-test-coverage
• `action_text-trix`: Add test coverage for Engine
• Merge pull request #1210 from seanpdoyle/issue-1154
• Merge pull request #1198 from seanpdoyle/attachment-preview-alt
• Merge pull request #1127 from seanpdoyle/trix-toolbar-editorElement-property
• Merge pull request #1201 from seanpdoyle/toolbar-button-click
• Merge pull request #1260 from basecamp/document-trix-attachment-edit
• Document `trix-attachment-edit` in `README.md`
• Merge pull request #1162 from MatheusRich/patch-1
• Merge branch 'main' into patch-1
• Support setting `img[alt]` on `ManagedAttachment`
• Toolbar Button: Handle `click` instead of `mousedown`
• Customize Attachment Preview URL
• Define `TrixToolbarElement.editorElements` property
• Merge pull request #1253 from basecamp/editor-preload-content
• Merge pull request #1256 from basecamp/action_text-trix
• Build `action_text-trix` assets with existing tools
• Read initial editor value from HTML content
• Merge pull request #1257 from seanpdoyle/package-json-node-version
• Merge pull request #1255 from seanpdoyle/fix-ci
• Update `.node-version` and `engine` property in `package.json`
• Pass CI
• Merge pull request #1128 from seanpdoyle/element-internals
• Merge pull request #1252 from seanpdoyle/editor-render
• Dispatch `trix-before-render` event
• `ElementInternals`: Support without `<input>` element
• Merge pull request #1235 from basecamp/flavorjones/rails-integration-tests
• ci: integration test with Action Text
• ci: improve the pipeline
• Enable "mfa required" for the ruby gem
• Fix the name of the rake task used to release ruby.
• Merge pull request #1234 from basecamp/flavorjones/package-in-ruby-gem
• Update build and release tasks to include the Ruby gem
• Create a ruby gem package

↗️ i18n (indirect, 1.14.7 → 1.14.8) · Repo · Changelog

Release Notes

1.14.8

Full Changelog: v1.14.7...v1.14.8

What's Changed

• Remove unused cgi require for Ruby 3.5 compatibility by @Earlopain in #713
• Explicitly require pathname by @voxik in #708
• CI: Add Ruby 3.4 to CI Matrix by @taketo1113 in #722
• Fix: I18n.locale reset in Fiber context by using Thread#thread_variable by @lee266 in #724
• CI: Use actions/checkout@v5 by @olleolleolle in #721
• Fix compatibility with --enable-frozen-string-literal by @byroot in #726

New Contributors

• @Earlopain made their first contribution in #713
• @taketo1113 made their first contribution in #722
• @lee266 made their first contribution in #724
• @byroot made their first contribution in #726

Full Changelog: v1.14.7...v1.14.8

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 18 commits:

• Bump to 1.14.9
• Merge pull request #726 from byroot/fstr-compat
• Merge branch 'master' into fstr-compat
• Remove testing for EOL Rubies 3.1 + 3.0
• Merge remote-tracking branch 'olleolleolle/patch-1'
• Merge pull request #724 from lee266/fix/i18n-locale-thread-variable
• Fix compatibility with `--enable-frozen-string-literal`
• Merge pull request #722 from taketo1113/ci-ruby-3.4
• CI: Fix rails version specification in gemfiles to run with the specified minor version
• CI: Add ruby 3.4 to CI Matrix
• fix: I18n.locale reset in Fiber context by using Thread#thread_variable_{get,set}
• Delete gemfiles/Gemfile.rails-6.1.x
• Delete gemfiles/Gemfile.rails-6.0.x
• CI: Omit the 6.x versions of Rails
• CI: Use actions/checkout@v5
• Merge pull request #708 from voxik/add-require-pathname
• Merge pull request #713 from Earlopain/cgi-ruby-3.5
• Remove unused `cgi` require

↗️ minitest (indirect, 6.0.0 → 6.0.1) · Repo · Changelog

Release Notes

6.0.1 (from changelog)

• 1 minor enhancement:

  • Added new rake task ‘test:fu` to Minitest::TestTask, to only run tests with FU (focused units?) in their name. This should mostly obviate the need for the minitest-focus plugin.

• 5 bug fixes:

  • Fixed –help and –version exiting 1. (grosser)

  • Fixed method signature of Minitest::Benchmark.run. (flavorjones)

  • Flush stdout/stderr before exit./bin/minitest -Ilib ./bug1046.rb:1 < /dev/null (grosser)

  • Improved usage banner output by reordering and reformatting.

  • Normalize paths while processing file.rb:line args.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 8 commits:

• prepped for release
• - Fixed method signature of Minitest::Benchmark.run. (flavorjones)
• - Flush stdout/stderr before exit./bin/minitest -Ilib ./bug1046.rb:1 < /dev/null (grosser)
• - Normalize paths while processing file.rb:line args.
• - Fixed --help and --version exiting 1. (grosser)
• - Improved usage banner output by reordering and reformatting.
• + Added new rake task `test:fu` to Minitest::TestTask, to only run tests with FU in name.
• Fix format of History.rdoc. (y-yagi)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[coveralls]

Pull Request Test Coverage Report for Build 20629437188

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 99.347%

---

Totals
Change from base Build 20598723645:	0.0%
Covered Lines:	761
Relevant Lines:	766

---

💛 - Coveralls