Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

4.0.0 #196

Open
wants to merge 121 commits into
base: main
Choose a base branch
from
Open

4.0.0 #196

wants to merge 121 commits into from

Conversation

mgrsskls
Copy link
Member

No description provided.

@mgrsskls mgrsskls force-pushed the 4.0.0 branch 2 times, most recently from 0e9761d to ed4ca0a Compare July 19, 2022 18:50
tokenize: function (e, n) {
var t = n.rest;
if (t) {
for (var r in t) n[r] = t[r];

Check warning

Code scanning / CodeQL

Prototype-polluting assignment Medium

This assignment may alter Object.prototype if a malicious '__proto__' string is injected from
user controlled input
.

Copilot Autofix AI 7 days ago

To fix the problem, we need to ensure that properties like __proto__, constructor, and prototype are not used as keys when assigning properties from n.rest to n. This can be achieved by explicitly checking for these properties and skipping them during the assignment.

  • Modify the code to include a check that skips over dangerous properties.
  • This change should be made in the tokenize function where the assignment occurs.
  • No new methods or imports are needed; the fix involves adding a conditional check within the existing loop.
Suggested changeset 1
frontend/assets/js/_prism.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/frontend/assets/js/_prism.js b/frontend/assets/js/_prism.js
--- a/frontend/assets/js/_prism.js
+++ b/frontend/assets/js/_prism.js
@@ -214,3 +214,7 @@
 					if (t) {
-						for (var r in t) n[r] = t[r];
+						for (var r in t) {
+						    if (r !== '__proto__' && r !== 'constructor' && r !== 'prototype') {
+						        n[r] = t[r];
+						    }
+						}
 						delete n.rest;
EOF
@@ -214,3 +214,7 @@
if (t) {
for (var r in t) n[r] = t[r];
for (var r in t) {
if (r !== '__proto__' && r !== 'constructor' && r !== 'prototype') {
n[r] = t[r];
}
}
delete n.rest;
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
var t = n.rest;
if (t) {
for (var r in t) n[r] = t[r];
delete n.rest;

Check warning

Code scanning / CodeQL

Prototype-polluting assignment Medium

This assignment may alter Object.prototype if a malicious '__proto__' string is injected from
user controlled input
.

Copilot Autofix AI 7 days ago

To fix the problem, we need to ensure that the assignment of properties from n.rest to n does not include any properties that can lead to prototype pollution, such as __proto__, constructor, or prototype. We can achieve this by explicitly checking for these properties before performing the assignment.

  • In general terms, we need to filter out any properties that can lead to prototype pollution before assigning them to the target object.
  • Specifically, we will modify the code to check each property in n.rest and only assign it to n if it is not one of the dangerous properties.
  • The changes will be made in the frontend/assets/js/_prism.js file, around line 215 where the assignment occurs.
  • No additional methods or imports are needed to implement this change.
Suggested changeset 1
frontend/assets/js/_prism.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/frontend/assets/js/_prism.js b/frontend/assets/js/_prism.js
--- a/frontend/assets/js/_prism.js
+++ b/frontend/assets/js/_prism.js
@@ -214,3 +214,7 @@
 					if (t) {
-						for (var r in t) n[r] = t[r];
+						for (var r in t) {
+							if (r !== '__proto__' && r !== 'constructor' && r !== 'prototype') {
+								n[r] = t[r];
+							}
+						}
 						delete n.rest;
EOF
@@ -214,3 +214,7 @@
if (t) {
for (var r in t) n[r] = t[r];
for (var r in t) {
if (r !== '__proto__' && r !== 'constructor' && r !== 'prototype') {
n[r] = t[r];
}
}
delete n.rest;
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
mgrsskls and others added 9 commits July 22, 2024 21:14
Bumps [eslint-plugin-jsdoc](https://github.com/gajus/eslint-plugin-jsdoc) from 48.5.2 to 48.8.3.
- [Release notes](https://github.com/gajus/eslint-plugin-jsdoc/releases)
- [Changelog](https://github.com/gajus/eslint-plugin-jsdoc/blob/main/.releaserc)
- [Commits](gajus/eslint-plugin-jsdoc@v48.5.2...v48.8.3)

---
updated-dependencies:
- dependency-name: eslint-plugin-jsdoc
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Bumps [ajv](https://github.com/ajv-validator/ajv) from 8.16.0 to 8.17.1.
- [Release notes](https://github.com/ajv-validator/ajv/releases)
- [Commits](ajv-validator/ajv@v8.16.0...v8.17.1)

---
updated-dependencies:
- dependency-name: ajv
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Bumps [rollup](https://github.com/rollup/rollup) from 4.18.1 to 4.19.0.
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](rollup/rollup@v4.18.1...v4.19.0)

---
updated-dependencies:
- dependency-name: rollup
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Bumps [eslint](https://github.com/eslint/eslint) from 9.6.0 to 9.7.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](eslint/eslint@v9.6.0...v9.7.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Bumps [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) from 2.0.3 to 2.0.4.
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v2.0.4/packages/coverage-v8)

---
updated-dependencies:
- dependency-name: "@vitest/coverage-v8"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
dependabot bot and others added 14 commits July 30, 2024 07:04
Bumps [jsdoc-to-markdown](https://github.com/jsdoc2md/jsdoc-to-markdown) from 8.0.1 to 8.0.3.
- [Release notes](https://github.com/jsdoc2md/jsdoc-to-markdown/releases)
- [Commits](jsdoc2md/jsdoc-to-markdown@v8.0.1...v8.0.3)

---
updated-dependencies:
- dependency-name: jsdoc-to-markdown
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Bumps [marked](https://github.com/markedjs/marked) from 13.0.2 to 13.0.3.
- [Release notes](https://github.com/markedjs/marked/releases)
- [Changelog](https://github.com/markedjs/marked/blob/master/.releaserc.json)
- [Commits](markedjs/marked@v13.0.2...v13.0.3)

---
updated-dependencies:
- dependency-name: marked
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Bumps [postcss](https://github.com/postcss/postcss) from 8.4.39 to 8.4.40.
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.4.39...8.4.40)

---
updated-dependencies:
- dependency-name: postcss
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Bumps [eslint](https://github.com/eslint/eslint) from 9.7.0 to 9.8.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](eslint/eslint@v9.7.0...v9.8.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Bumps [rollup](https://github.com/rollup/rollup) from 4.19.0 to 4.19.1.
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](rollup/rollup@v4.19.0...v4.19.1)

---
updated-dependencies:
- dependency-name: rollup
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Users now have to pass their own render method to miyagi. Internally we will now also make sure that when the user uses Twing, we will not use the same instance anymore to avoid possible conflicts. In addition, the user can now define config.namespaces as these are not bound to the engine anymore
@schalkneethling
Copy link

@mgrsskls Exciting to see a full major bump on the horizon :) What is the tl;dr of the release?

@mgrsskls
Copy link
Member Author

mgrsskls commented Nov 4, 2024

@schalkneethling

I noticed the v4 project here was private. I made it public: https://github.com/orgs/miyagi-dev/projects/2/views/2 This should give you a good overview :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants