Merge pull request #379 from matestack/dependabot/npm_and_yarn/yarn-1.22.0

pascalwengerter · web-flow · commit 954245200a8b · 2020-02-17T16:37:30.000+01:00
Bump yarn from 1.19.1 to 1.22.0
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,37 +6,103 @@
 
 [Solved Issues](https://github.com/basemate/matestack-ui-core/issues?q=is%3Aissue+is%3Aclosed+milestone%3A0.7.4)
 
+### Security Fixes
+
+XSS/Script injection vulnerablilty fixed in 0.7.4
+
+* matestack-ui-core was vulnerable to XSS/Script injection 
+* matestack-ui-core did not excape strings by default and did not cover this in the docs
+* matestack-ui-core should have escaped strings by default in order to prevent XSS/Script injection vulnerability
+* 0.7.4 fixes that by performing string escaping by default now
+* a new component `unescaped` (like `plain` before) allows to render unsecaped strings, but forces the developer to explicitly make a concious decision about that
+
+```ruby
+class Pages::MyApp::MyExamplePage < Matestack::Ui::Page
+
+  class FakeUser < Struct.new(:name)
+  end
+
+  def prepare
+    @user = FakeUser.new("<script>alert('such hack many wow')</script>")
+  end
+
+  def response
+    components {
+      div do
+        heading size: 1, text: "Hello #{@user.name}" # was not escaped , from 0.7.4 on it's escaped
+        plain "Hello #{@user.name}" # was not escaped, from 0.7.4 on it's escaped
+        unescaped "Hello #{@user.name}" # is not escaped, as intended
+      end
+    }
+  end
+end
+
+```
+
+Affected Versions
+
+<= 0.7.3
+
+Patched Versions
+
+>= 0.7.4 --> please update!
+
+Workarounds
+
+escape string explicitly/manually
+
+reported by @PragTob
+
 ### Improvements
 
 * On form submit, matestack form values are reset to previous values by fiedl
+
 --> The form component now does not reset itself when using `put`
+
 --> The reset behavior can now be configured (described in `form` component docs)
 
 * Dockerized core dev and test environment by jonasjabari
+
 --> easy local dev and test setup, cross-platform default for dev and testing
+
 --> CI is configured to run tests via dockerized test suite; same as local testing and good base for matrix testing (upcoming)
+
 --> Usage described in contribution docs
 
 * Add `follow_response` option to action component by fiedl
+
 --> same behavior enhancement as added to the `form` component in 0.7.3
+
 --> server may now decide where the transition should navigate to
+
 --> described in `action` component docs
 
 * Add confirm option to action component by fiedl
+
 --> easily add confirmation before performing an action
+
 --> prevent unintended delete action for example
+
 --> described in `action` component docs
 
 * New webpacker features by fiedl
+
   * make webpacker create es5 code instead of es6 code
+  
   * Switch to Vue Production Mode if RAILS_ENV=staging or production
+  
   * Establish webpack(er) and asset-pipeline workflows
 
 --> webpacker now builds assets for asset pipline usage AND webpacker usage (both usage approaches are described in the installation docs)
+
 --> webpacker now builds minified versions of matestack-ui-core.js (great improvement in file size!)
+
 --> webpacker now builds es5 code, which is compatible with IE11
+
 --> when used via asset pipeline, the minified version of matestack-ui-core together with the production build of vue.js is automatically required
---> when used via webpacker, matestack-ui-core can be used within a modern javascript workflow, importing and extending single matestack module for example
+
+--> when used via webpacker, matestack-ui-core can be used within a modern javascript workflow, importing and extending 
+single matestack module for example
 
 * New components
   * Add HTML `<picture>` tag to core components by pascalwengerter
diff --git a/package.json b/package.json
@@ -9,7 +9,7 @@
     "v-runtime-template": "^1.5.2",
     "vue": "^2.5.17",
     "vuex": "^3.0.1",
-    "yarn": "^1.17.3"
+    "yarn": "^1.22.0"
   },
   "exports": {
     "./concepts/": "./app/concepts/matestack/ui/core/"
diff --git a/yarn.lock b/yarn.lock
@@ -101,7 +101,7 @@ vuex@^3.0.1:
   resolved "https://registry.yarnpkg.com/vuex/-/vuex-3.1.1.tgz#0c264bfe30cdbccf96ab9db3177d211828a5910e"
   integrity sha512-ER5moSbLZuNSMBFnEBVGhQ1uCBNJslH9W/Dw2W7GZN23UQA69uapP5GTT9Vm8Trc0PzBSVt6LzF3hGjmv41xcg==
 
-yarn@^1.17.3:
-  version "1.19.1"
-  resolved "https://registry.yarnpkg.com/yarn/-/yarn-1.19.1.tgz#14b92410dd1ba5bab87a12b4a3d807f4569bea97"
-  integrity sha512-gBnfbL9rYY05Gt0cjJhs/siqQXHYlZalTjK3nXn2QO20xbkIFPob+LlH44ML47GcR4VU9/2dYck1BWFM0Javxw==
+yarn@^1.22.0:
+  version "1.22.0"
+  resolved "https://registry.yarnpkg.com/yarn/-/yarn-1.22.0.tgz#acf82906e36bcccd1ccab1cfb73b87509667c881"
+  integrity sha512-KMHP/Jq53jZKTY9iTUt3dIVl/be6UPs2INo96+BnZHLKxYNTfwMmlgHTaMWyGZoO74RI4AIFvnWhYrXq2USJkg==
