Commit 301e494
authored
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?v=4&size=40){kind=avatar}
Update dependency yard to v0.9.42 [SECURITY] (#799)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [yard](https://yardoc.org)
([changelog](https://rubydoc.info/gems/yard/file/CHANGELOG.md)) |
`0.9.41` → `0.9.42` |
|
|
### GitHub Vulnerability Alerts
####
[GHSA-3jfp-46x4-xgfj](https://redirect.github.com/lsegal/yard/security/advisories/GHSA-3jfp-46x4-xgfj)
### Impact
A path traversal vulnerability was discovered in YARD <= 0.9.41 when
using yard server to serve documentation. This bug would allow
unsanitized HTTP requests to access arbitrary files on the machine of a
yard server host under certain conditions.
The original patch in
[GHSA-xfhh-rx56-rxcr](https://redirect.github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr)
was incorrectly applied.
### Patches
Please upgrade to YARD v0.9.42 immediately if you are relying on yard
server to host documentation in any untrusted environments without
WEBrick and rely on `--docroot`.
### Workarounds
For users who cannot upgrade, it is possible to perform path
sanitization of HTTP requests at your webserver level. WEBrick, for
example, can perform such sanitization by default (which you can use via
yard server -s webrick), as can certain rules in your webserver
configuration.
##### Severity
- CVSS Score: 6.9 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N`
---
### Configuration
📅 **Schedule**: (in timezone Asia/Tokyo)
- Branch creation
- ""
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/line/line-bot-sdk-ruby).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMjMuOCIsInVwZGF0ZWRJblZlciI6IjQzLjEyMy44IiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbImRlcGVuZGVuY3kgdXBncmFkZSJdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>1 parent d57d473 commit 301e494
1 file changed
+1
-1
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
153 | 153 | | |
154 | 154 | | |
155 | 155 | | |
156 | | - | |
| 156 | + | |
157 | 157 | | |
158 | 158 | | |
159 | 159 | | |
| |||
0 commit comments