New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency jsoneditor to v9 [SECURITY] #295

Open

renovate wants to merge 1 commit into master from renovate/npm-jsoneditor-vulnerability

Contributor

renovate bot commented Oct 18, 2021 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
jsoneditor (source)	`7.2.1` -> `9.5.6`

GitHub Vulnerability Alerts

CVE-2021-3822

JSON Editor is a web-based tool to view, edit, format, and validate JSON. It has various modes such as a tree editor, a code editor, and a plain text editor. The jsoneditor package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide a crafted element as input to the getInnerText function may cause an application to consume an excessive amount of CPU. Below pinned line using vulnerable regex.

CVE-2020-23849

Stored XSS was discovered in the tree mode of jsoneditor before 9.0.2 through injecting and executing JavaScript.

Release Notes

josdejong/jsoneditor

`v9.5.6`

Fix inefficient regex to replace return characters.

`v9.5.5`

Fix setMode not throwing an exception anymore in case of a parse error
(regression since 9.5.4).

`v9.5.4`

Use noreferrer for window.open, see #1365. Thanks @rajitbanerjee.
Fix #1363: parsing error contains html characters.
Fix opening the Transform or Sort modal in code mode with invalid JSON
contents not triggering the onError callback (see #1364).
Change the default behavior of error handling to open a basic alert instead
of logging the error in the console (see #1364).

`v9.5.3`

Fix #1356: background of tree mode is transparent instead of white.
Fix #473: enum dropdown not working on referenced schemas and templates,
see #1355. Thanks @mpccolorado.

`v9.5.2`

Fix #675: Relative image urls in CSS replaced with absolute urls by build
script, see #1354. Thanks @esulu.

`v9.5.1`

Fix the font on Ubuntu for real by add the "ubuntu mono" font. See #1405.

`v9.5.0`

Implemented new method JSONEditor.validate(): Promise<ValidationError[]>.
Thanks @ChrisAcrobat.

`v9.4.2`

Fix #1311: exception being thrown under certain conditions when switching
from code mode to preview mode.
Rename spin animation of selectr to prevent conflicts with tailwind,
see #1333. Thanks @mdix.

`v9.4.1`

Improvements in the Korean translation. Thanks @luasenvy.

`v9.4.0`

Added Korean translation. Thanks @luasenvy.
Added Spanish translation. Thanks @joabac.
Fix #1282: JSON schema enum dropdown not working for conditionals like
oneOf, anyOf, allOf. Thanks @maufl.
Fix #1307: losing caret position when calling refresh() during onChange
callback.

`v9.3.1`

Introduced a new sass variable $jse-icons-url, see #1268. Thanks @ppetkow.

`v9.3.0`

Improved Russian translation. Thanks @PunKHS.
Upgraded dependencies to [email protected].

`v9.2.0`

Added Russian translation. Thanks @PunKHS.
Changed shortcut keys for Format and Compact in code mode from Ctrl+\ and
Ctrl+Shift+\ to Ctrl+I and Ctrl+Shift+I respectively, because not all
browsers and operating systems support this key combination.

`v9.1.10`

Fixed resolving a JSON schema reference linking to an other schema, see #1239.
Thanks @Hagartinger.
Upgraded to latest dependencies ([email protected]).

`v9.1.9`

Fix jsoneditor-minimalist bundle being too large. Regression since v9.1.5
(caused by a recent upgrade to Webpack 5). Thanks @cbmgit.

`v9.1.8`

Replaced simple-json-repair with jsonrepair (library was renamed).

`v9.1.7`

Fix #1206: library bundle broken on IE 11, regression introduced in v9.1.6.

`v9.1.6`

Fix #1192: enum dropdown from a JSON schema not rendered when using
additionalProperties. Thanks @maufl.
Fix #1191: clarify docs about configuration option ajv.
Fix #1193: simplify and fix example 20_custom_css_style_for_nodes.html.

`v9.1.5`

Fix #1185: enum dropdown not selecting actual value when this is not a string.
Fix selected value of enum dropdown not updated when changed programmatically.

`v9.1.4`

Fix #1119: list of keys in navigation bar missing a scroll bar.
Thanks @tanmayrajani.

`v9.1.3`

Fix #1158: JSON schema_findSchema not found if using internal references. Thanks @maufl.
Update dependencies: [email protected].

`v9.1.2`

Fix #1126: fire onEvent for boolean checkbox and enum selectbox too.
Log a clear error in the console when the returned value of onEditable is
invalid. See #1112.
Updated dependency to [email protected].
Extract the JSON repair functionality into a separate,
library simple-json-repair with many improvements.

`v9.1.1`

Fixed resolving a JSON schema reference linking to an other schema, see #1239.
Thanks @Hagartinger.
Upgraded to latest dependencies ([email protected]).

`v9.1.0`

Implemented German translation (de). Thanks @s-a.
Fix quick-keys Ctrl-\ (format) and Ctrl-Shift-\ (compact) not working
in code mode.
Updated dependencies to [email protected].

`v9.0.5`

Fix #1090: autocomplete firing on dragging or clicking a node.
Fix #1096: editor crashing when passing an empty string as name.
Updated dependencies to [email protected].

`v9.0.4`

Updated dependencies to [email protected], [email protected].
Fix #1077: change the main field in package.json to point to the actual
bundled and minified file instead of a node.js index file.

`v9.0.3`

Fix regression introduced in v9.0.2 in the select boxes in the
Transform model not lighlighting the matches correctly.

`v9.0.2`

Fix #1029: XSS vulnerabilities. Thanks @onemoreflag for reporting.
Fix #1017: unable to style the color of a value containing a color.
Thanks @p3x-robot.

`v9.0.1`

Fixed broken link to the Ace editor website (https://ace.c9.io/).
Thanks @p3x-robot.
Fix #1027: create IE11 Array polyfills find and findIndex in such a way
that they are not iterable.

`v9.0.0`

Implemented option limitDragging, see #962. This is a breaking change when
using a JSON schema: dragging is more restrictive by default in that case.
Set limitDragging: false to keep the old, non-restricted behavior.

`v8.6.8`

Fix #936: too many return characters inserted when pasting formatted text
from OpenOffice.

`v8.6.7`

Fix #858: the dist/jsoneditor.js bundle containing a link to a
non-existing source map.
Fix #978: in some special cases the caret was jumping to the beginning of the
line whilst typing.
Update dependencies to [email protected].

`v8.6.6`

Fix #969: adding a new property to an empty object or array is broken.
Regression introduced in v8.6.5.

`v8.6.5`

Fix #964: translation of titles of some context menu items not working.
Update dependencies to [email protected], [email protected].

`v8.6.4`

Fix #921: sortObjectKeys emits onChange events.
Fix #946: language not working in modes text, code, and preview.
Revert reckoning with the order of object properties when updating an
object (introduced in v8.6.2). See #917.
Implement support for repairing line separate JSON.

`v8.6.3`

Fix #932: JSONEditor.update broken, did not always recognize when the
input changed. Regression introduced in v8.6.2.

`v8.6.2`

Fixed #917, #926: Keep order of properties when updating an object.
Fixed #928: Custom root name not reflected in path of navigation bar.
Upgraded to [email protected]

`v8.6.1`

Fixed #908: editor throwing an exception when switching from 'preview'
to 'code' mode.

`v8.6.0`

Fixed #906: Implemented turning Python objects containing True, False
and None into valid JSON using repair.

`v8.5.3`

Fix #892: the undo/redo buttons in mode code being broken when custom
loading an old version of Ace Editor.

`v8.5.2`

Fix undo/redo buttons in mode code not always updating.

`v8.5.1`

Fix broken build.

`v8.5.0`

Implemented support for customizing the query language used in the
Transform modal. New options createQuery, executeQuery, and
queryDescription are available for this now. An example is available
in examples/23_custom_query_language.html. See #857, #871.
Implement undo/redo buttons in code mode.
Fix history (undo/redo) being cleared in mode code and text after
transforming or sorting.

`v8.4.1`

Fix console.log in production code. Oopsie.

`v8.4.0`

Added CSS classes jsoneditor-expanded and jsoneditor-collapsed on array
and object nodes reflecting there state.

`v8.3.0`

Update dependency ajv to v6.11.0.
Fix #790: editor breaking when missing a translation containing a
placeholder.

`v8.2.1`

`v8.2.0`

Make it easy to create custom styling by overriding default SASS variable
values, see #881. Thanks @petermanders89.
Update ace to v1.4.8.

`v8.1.2`

Fix #873: buttons Format, Compact, and Repair not supporting
internationalization.
Fix #877: Some CSS styling issues when used in combination with Materialize.
Updated dependency vanilla-picker to v2.10.1.

`v8.1.1`

Fixed the file size reported in preview mode show KB and MB instead
of KiB and MiB in order to match the size reported by filesystems.

`v8.1.0`

Implemented popupAnchor allowing to select a custom anchor element.
See #869 and #870.
Fixed #502: CSS rule * { font-family: ... } resulting in Ace editor (code
mode) not having a mono-space font anymore.

`v8.0.0`

Implemented option timestampFormat which allows customizing the formatting
of timestamp tags. See also option timestampTag. Thanks @smallp.
Changed the behavior of timestampTag to fallback on the built-in rules when
the function does not return a boolean. See #856.
Reverted the heuristics introduced in v7.3.0 to check whether some field
contains a timestamp based on the field name, because they can give wrong
timestamps in case of values in seconds instead of the assumed milliseconds
(see #847, #856).

`v7.5.0`

Extended the callback onValidationError to also report parse errors,
and distinguish between JSON schema validation errors and custom errors.
See #861 and #612. Thanks @meirotstein.

`v7.4.0`

Implemented callback function onValidationError, see #612, #854.
Thanks @meirotstein.
Fixed #850: make autocomplete options robust against non-string inputs
like null, 123, true, false.

`v7.3.1`

Fixed #855: onFocus and onBlur not working in modes text and code
when editor was created without main menu bar, and editor.destroy()
throwing an exception.

`v7.3.0`

Implemented callbacks onFocus and onBlur (PR #809, issue #727).
Thanks @123survesh.
Fixed #847: allow customizing the in rules determining whether a value
is a timestamp or not by passing a callback function to timestampTag.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.


          Update dependency jsoneditor to v9 [SECURITY]

CLAassistant commented Oct 18, 2021

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

Contributor Author

renovate bot commented Mar 24, 2023 •

edited

Loading

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet