-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
4.0.0 #196
base: main
Are you sure you want to change the base?
Conversation
dbc02e2
to
b554ce6
Compare
0e9761d
to
ed4ca0a
Compare
Convert to ES modules
tokenize: function (e, n) { | ||
var t = n.rest; | ||
if (t) { | ||
for (var r in t) n[r] = t[r]; |
Check warning
Code scanning / CodeQL
Prototype-polluting assignment Medium
user controlled input
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 7 days ago
To fix the problem, we need to ensure that properties like __proto__
, constructor
, and prototype
are not used as keys when assigning properties from n.rest
to n
. This can be achieved by explicitly checking for these properties and skipping them during the assignment.
- Modify the code to include a check that skips over dangerous properties.
- This change should be made in the
tokenize
function where the assignment occurs. - No new methods or imports are needed; the fix involves adding a conditional check within the existing loop.
-
Copy modified lines R215-R219
@@ -214,3 +214,7 @@ | ||
if (t) { | ||
for (var r in t) n[r] = t[r]; | ||
for (var r in t) { | ||
if (r !== '__proto__' && r !== 'constructor' && r !== 'prototype') { | ||
n[r] = t[r]; | ||
} | ||
} | ||
delete n.rest; |
var t = n.rest; | ||
if (t) { | ||
for (var r in t) n[r] = t[r]; | ||
delete n.rest; |
Check warning
Code scanning / CodeQL
Prototype-polluting assignment Medium
user controlled input
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 7 days ago
To fix the problem, we need to ensure that the assignment of properties from n.rest
to n
does not include any properties that can lead to prototype pollution, such as __proto__
, constructor
, or prototype
. We can achieve this by explicitly checking for these properties before performing the assignment.
- In general terms, we need to filter out any properties that can lead to prototype pollution before assigning them to the target object.
- Specifically, we will modify the code to check each property in
n.rest
and only assign it ton
if it is not one of the dangerous properties. - The changes will be made in the
frontend/assets/js/_prism.js
file, around line 215 where the assignment occurs. - No additional methods or imports are needed to implement this change.
-
Copy modified lines R215-R219
@@ -214,3 +214,7 @@ | ||
if (t) { | ||
for (var r in t) n[r] = t[r]; | ||
for (var r in t) { | ||
if (r !== '__proto__' && r !== 'constructor' && r !== 'prototype') { | ||
n[r] = t[r]; | ||
} | ||
} | ||
delete n.rest; |
Bumps [eslint-plugin-jsdoc](https://github.com/gajus/eslint-plugin-jsdoc) from 48.5.2 to 48.8.3. - [Release notes](https://github.com/gajus/eslint-plugin-jsdoc/releases) - [Changelog](https://github.com/gajus/eslint-plugin-jsdoc/blob/main/.releaserc) - [Commits](gajus/eslint-plugin-jsdoc@v48.5.2...v48.8.3) --- updated-dependencies: - dependency-name: eslint-plugin-jsdoc dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [ajv](https://github.com/ajv-validator/ajv) from 8.16.0 to 8.17.1. - [Release notes](https://github.com/ajv-validator/ajv/releases) - [Commits](ajv-validator/ajv@v8.16.0...v8.17.1) --- updated-dependencies: - dependency-name: ajv dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [rollup](https://github.com/rollup/rollup) from 4.18.1 to 4.19.0. - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.18.1...v4.19.0) --- updated-dependencies: - dependency-name: rollup dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [eslint](https://github.com/eslint/eslint) from 9.6.0 to 9.7.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md) - [Commits](eslint/eslint@v9.6.0...v9.7.0) --- updated-dependencies: - dependency-name: eslint dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) from 2.0.3 to 2.0.4. - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Commits](https://github.com/vitest-dev/vitest/commits/v2.0.4/packages/coverage-v8) --- updated-dependencies: - dependency-name: "@vitest/coverage-v8" dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [jsdoc-to-markdown](https://github.com/jsdoc2md/jsdoc-to-markdown) from 8.0.1 to 8.0.3. - [Release notes](https://github.com/jsdoc2md/jsdoc-to-markdown/releases) - [Commits](jsdoc2md/jsdoc-to-markdown@v8.0.1...v8.0.3) --- updated-dependencies: - dependency-name: jsdoc-to-markdown dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [marked](https://github.com/markedjs/marked) from 13.0.2 to 13.0.3. - [Release notes](https://github.com/markedjs/marked/releases) - [Changelog](https://github.com/markedjs/marked/blob/master/.releaserc.json) - [Commits](markedjs/marked@v13.0.2...v13.0.3) --- updated-dependencies: - dependency-name: marked dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [postcss](https://github.com/postcss/postcss) from 8.4.39 to 8.4.40. - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](postcss/postcss@8.4.39...8.4.40) --- updated-dependencies: - dependency-name: postcss dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [eslint](https://github.com/eslint/eslint) from 9.7.0 to 9.8.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md) - [Commits](eslint/eslint@v9.7.0...v9.8.0) --- updated-dependencies: - dependency-name: eslint dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [rollup](https://github.com/rollup/rollup) from 4.19.0 to 4.19.1. - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.19.0...v4.19.1) --- updated-dependencies: - dependency-name: rollup dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Users now have to pass their own render method to miyagi. Internally we will now also make sure that when the user uses Twing, we will not use the same instance anymore to avoid possible conflicts. In addition, the user can now define config.namespaces as these are not bound to the engine anymore
@mgrsskls Exciting to see a full major bump on the horizon :) What is the tl;dr of the release? |
I noticed the v4 project here was private. I made it public: https://github.com/orgs/miyagi-dev/projects/2/views/2 This should give you a good overview :) |
No description provided.