Skip to content
This repository has been archived by the owner on Jun 30, 2023. It is now read-only.

Bump jason from 1.1.2 to 1.2.1 #39

Closed
wants to merge 1 commit into from

Conversation

dependabot-preview[bot]
Copy link
Contributor

Bumps jason from 1.1.2 to 1.2.1.

Changelog

Sourced from jason's changelog.

1.2.1 (04.05.2020)

Security

  • Fix html_safe escaping in Jason.encode

The <!-- sequence of characters would not be escaped in Jason.encode withhtml_escape mode, which could lead to DoS attacks when used for embedding of arbitrary, user controlled strings into HTML through JSON (e.g. inside of <script> tags).

If you were not using the html_safe option, you are not affected.

Affected versions: < 1.2.1 Patched versions: >= 1.2.1

1.2.0 (17.03.2020)

Enhancements

  • Add Jason.Encode.keyword/2 (cb1f26a).

Bug fixes

  • Fix Jason.Helpers.json_map/1 value expansion (70b046a).
Commits
  • c12a20f Bump version
  • c998492 Run CI on OTP 22/Elixir 1.10
  • bdbd96d Fix reference string decoding test
  • 188e66b html_safe option protects against comment injection
  • 91a4eaf Delete unused Jason.Codegen.jump_table_case/4 (#108)
  • c326c91 Bump version
  • 4db5910 Update deps
  • fb1bfe2 Update changelog
  • 70b046a Do not delay execution nor bind over values in json_map, closes #94 (#95)
  • 97893dd Use full name and short identifier from SPDX License List (#96)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

@dependabot-preview dependabot-preview bot added the dependencies Pull requests that update a dependency file label May 5, 2020
@coveralls
Copy link

Coverage Status

Coverage remained the same at 49.455% when pulling cdfb281 on dependabot/hex/jason-1.2.1 into 0c40439 on master.

@dependabot-preview
Copy link
Contributor Author

Superseded by #45.

@dependabot-preview dependabot-preview bot deleted the dependabot/hex/jason-1.2.1 branch September 9, 2020 04:26
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant